openapi: 3.0.3 info: contact: name: Kibana Team description: | The Kibana REST APIs for Elastic serverless enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation. To interact with Kibana APIs, use the following operations: - GET: Fetches the information. - POST: Adds new information. - PUT: Updates the existing information. - DELETE: Removes the information. You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: ``` GET kbn:/api/data_views ``` ## Documentation source and versions This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). title: Kibana Serverless APIs version: '' x-doc-license: name: Attribution-NonCommercial-NoDerivatives 4.0 International url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - url: https://{kibana_url} variables: kibana_url: default: security: - apiKeyAuth: [] tags: - name: agent builder description: | Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. externalDocs: description: Agent Builder docs url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access x-displayName: Agent Builder - name: alerting description: | Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. externalDocs: description: Alerting documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts x-displayName: Alerting - description: | Adjust APM agent configuration without need to redeploy your application. name: APM agent configuration - description: | Configure APM agent keys to authorize requests from APM agents to the APM Server. name: APM agent keys - description: | Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. name: APM annotations - description: Create APM fleet server schema. name: APM server schema - name: connectors description: | Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. externalDocs: description: Connector documentation url: https://www.elastic.co/docs/reference/kibana/connectors-kibana x-displayName: Connectors - name: Data streams description: | Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. x-displayName: Data streams - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. name: data views x-displayName: Data views - name: Elastic Agent actions description: | Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. x-displayName: Elastic Agent actions - name: Elastic Agent binary download sources description: | Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. x-displayName: Elastic Agent binary download sources - name: Elastic Agent policies description: | Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. x-displayName: Elastic Agent policies - name: Elastic Agent status description: | Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. x-displayName: Elastic Agent status - name: Elastic Agents description: | Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. x-displayName: Elastic Agents - name: Elastic Package Manager (EPM) description: | Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. x-displayName: Elastic Package Manager (EPM) - name: Fleet agentless policies - name: Fleet cloud connectors description: | Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. x-displayName: Fleet cloud connectors - name: Fleet enrollment API keys description: | Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. x-displayName: Fleet enrollment API keys - name: Fleet internals description: | Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. x-displayName: Fleet internals - name: Fleet outputs description: | Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. x-displayName: Fleet outputs - name: Fleet package policies description: | Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. x-displayName: Fleet package policies - name: Fleet proxies description: | Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. x-displayName: Fleet proxies - name: Fleet Server hosts description: | Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. x-displayName: Fleet Server hosts - name: Fleet service tokens - name: Fleet uninstall tokens description: | Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. x-displayName: Fleet uninstall tokens - name: maintenance-window description: | You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. externalDocs: description: Maintenance window documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows x-displayName: Maintenance windows - name: Message Signing Service description: | Enables you to rotate message signing key pairs for secure Fleet communication. x-displayName: Fleet Message Signing Service - description: | Enables you to synchronize machine learning saved objects. name: ml x-displayName: Machine learning - description: Interact with the Observability AI Assistant resources. externalDocs: description: Observability AI Assistant url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant name: observability_ai_assistant x-displayName: Observability AI Assistant - name: roles x-displayName: Roles description: Manage the roles that grant Elasticsearch and Kibana privileges. externalDocs: description: Kibana role management url: https://www.elastic.co/docs/deploy-manage/users-roles/serverless-custom-roles - name: saved objects x-displayName: Saved objects description: | Export or import sets of saved objects. To manage a specific type of saved object, use the corresponding APIs. For example, use: [Data views](../group/endpoint-data-views). - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API x-displayName: Security AI assistant - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. name: Security Attack discovery API x-displayName: Security Attack discovery - description: | Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. This API supports both key-based authentication and basic authentication. To use key-based authentication, create an API key, then specify the key in the header of your API calls. To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. In both cases, the API key is subsequently used for authorization when the rule runs. > warn > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. name: Security Detections API x-displayName: Security detections - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API x-displayName: Security Elastic Endpoint exceptions - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API x-displayName: Security endpoint management - description: | Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. name: Security Entity Analytics API x-displayName: Security entity analytics - name: Security entity store - description: | Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. Exceptions are made up of: * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. > info > You cannot use lists with endpoint rule exceptions. > info > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. ## Exceptions requirements Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). name: Security Exceptions API x-displayName: Security exceptions - description: | Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. Lists are made up of: * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: * `boolean` * `byte` * `date` * `date_nanos` * `date_range` * `double` * `double_range` * `float` * `float_range` * `half_float` * `integer` * `integer_range` * `ip` * `ip_range` * `keyword` * `long` * `long_range` * `short` * `text` * **List items**: The values used to determine whether the exception prevents an alert from being generated. All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: 1. `192.168.1.1` 2. `192.168.1.3` 3. `192.168.1.18` 4. `192.168.1.12` 5. `192.168.1.7` To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. > info > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. ## Lists requirements Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) for a complete list of requirements. name: Security Lists API x-displayName: Security lists - description: Run live queries, manage packs and saved queries. name: Security Osquery API x-displayName: Security Osquery - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API x-displayName: Security timeline - description: SLO APIs enable you to define, manage and track service-level objectives name: slo x-displayName: Service level objectives - name: spaces x-displayName: Spaces description: Manage your Kibana spaces. externalDocs: url: https://www.elastic.co/docs/deploy-manage/manage-spaces description: Space overview - name: streams description: | Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: * **Wired** streams are managed by Kibana. They route documents to child streams based on field conditions and support custom field mappings and processing steps. * **Classic** streams map to existing Elasticsearch data streams. You can add processing steps to classic streams without changing their underlying index template. * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate data from multiple streams into a single logical view without duplicating documents. x-displayName: Streams externalDocs: description: Streams documentation url: https://www.elastic.co/docs/solutions/observability/streams - name: system x-displayName: System description: | Get information about the system status, resource usage, features, and installed plugins. - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. externalDocs: description: Task manager url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management name: task manager x-displayName: Task manager - name: workflows description: | Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. externalDocs: description: Workflows documentation url: https://www.elastic.co/docs/explore-analyze/workflows x-displayName: Workflows paths: /api/actions/connector_types: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector_types
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You do not need any Kibana feature privileges to run this API. operationId: get-actions-connector-types parameters: - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). in: query name: feature_id required: false schema: type: string responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: allow_multiple_system_actions: description: Indicates whether multiple instances of the same system action connector can be used in a single rule. type: boolean enabled: description: Indicates whether the connector is enabled. type: boolean enabled_in_config: description: Indicates whether the connector is enabled in the Kibana configuration. type: boolean enabled_in_license: description: Indicates whether the connector is enabled through the license. type: boolean id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_system_action_type: description: Indicates whether the action is a system action. type: boolean minimum_license_required: description: The minimum license required to enable the connector. enum: - basic - standard - gold - platinum - enterprise - trial type: string name: description: The name of the connector type. type: string source: description: The source of the connector type definition. enum: - yml - spec - stack type: string sub_feature: description: Indicates the sub-feature type the connector is grouped under. enum: - endpointSecurity type: string supported_feature_ids: description: The list of supported features items: type: string type: array required: - id - name - enabled - enabled_in_config - enabled_in_license - minimum_license_required - supported_feature_ids - is_system_action_type - is_deprecated - source type: array examples: getConnectorTypesServerlessResponse: $ref: '#/components/examples/get_connector_types_generativeai_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Get connector types tags: - connectors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/actions/connector/_oauth_callback: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector/_oauth_callback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. operationId: get-actions-connector-oauth-callback parameters: - description: The authorization code returned by the OAuth provider. in: query name: code required: false schema: type: string - description: The state parameter for CSRF protection. in: query name: state required: false schema: type: string - description: Error code if the authorization failed. in: query name: error required: false schema: type: string - description: Human-readable error description. in: query name: error_description required: false schema: type: string - description: Session state from the OAuth provider (e.g., Microsoft). in: query name: session_state required: false schema: type: string responses: '200': description: Returns an HTML callback page. '302': description: Redirects to the return URL with authorization result query parameters. '401': description: User is not authenticated. summary: Handle OAuth callback tags: - connectors x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/actions/connector/_oauth_callback_script: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector/_oauth_callback_script
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns the OAuth callback script operationId: get-actions-connector-oauth-callback-script parameters: [] responses: '200': description: Returns the OAuth callback script summary: '' tags: [] x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/actions/connector/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. WARNING: When you delete a connector, it cannot be recovered. operationId: delete-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Delete a connector tags: - connectors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: operationId: get-actions-connector-id parameters: - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: nullable: true type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated examples: getConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Get connector information tags: - connectors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: post-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: maxLength: 36 minLength: 1 type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: connector_type_id: description: The type of connector. type: string name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/genai_openai_other_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/defender_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name - connector_type_id examples: createEmailConnectorRequest: $ref: '#/components/examples/create_email_connector_request' createIndexConnectorRequest: $ref: '#/components/examples/create_index_connector_request' createWebhookConnectorRequest: $ref: '#/components/examples/create_webhook_connector_request' createXmattersConnectorRequest: $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: nullable: true type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated examples: createEmailConnectorResponse: $ref: '#/components/examples/create_email_connector_response' createIndexConnectorResponse: $ref: '#/components/examples/create_index_connector_response' createWebhookConnectorResponse: $ref: '#/components/examples/create_webhook_connector_response' createXmattersConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Create a connector tags: - connectors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: operationId: put-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/defender_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name examples: updateIndexConnectorRequest: $ref: '#/components/examples/update_index_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: nullable: true type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Update a connector tags: - connectors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/actions/connector/{id}/_execute: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/actions/connector/{id}/_execute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. operationId: post-actions-connector-id-execute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: params: additionalProperties: {} oneOf: - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' - $ref: '#/components/schemas/run_documents' - $ref: '#/components/schemas/run_message_email' - $ref: '#/components/schemas/run_message_serverlog' - $ref: '#/components/schemas/run_message_slack' - $ref: '#/components/schemas/run_trigger_pagerduty' - $ref: '#/components/schemas/run_addevent' - $ref: '#/components/schemas/run_closealert' - $ref: '#/components/schemas/run_closeincident' - $ref: '#/components/schemas/run_createalert' - $ref: '#/components/schemas/run_fieldsbyissuetype' - $ref: '#/components/schemas/run_getagentdetails' - $ref: '#/components/schemas/run_getagents' - $ref: '#/components/schemas/run_getchoices' - $ref: '#/components/schemas/run_getfields' - $ref: '#/components/schemas/run_getincident' - $ref: '#/components/schemas/run_issue' - $ref: '#/components/schemas/run_issues' - $ref: '#/components/schemas/run_issuetypes' - $ref: '#/components/schemas/run_postmessage' - $ref: '#/components/schemas/run_pushtoservice' - $ref: '#/components/schemas/run_validchannelid' required: - params examples: runIndexConnectorRequest: $ref: '#/components/examples/run_index_connector_request' runJiraConnectorRequest: $ref: '#/components/examples/run_jira_connector_request' runServerLogConnectorRequest: $ref: '#/components/examples/run_servicenow_itom_connector_request' runSlackConnectorRequest: $ref: '#/components/examples/run_slack_api_connector_request' runSwimlaneConnectorRequest: $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: nullable: true type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated examples: runIndexConnectorResponse: $ref: '#/components/examples/run_index_connector_response' runJiraConnectorResponse: $ref: '#/components/examples/run_jira_connector_response' runServerLogConnectorResponse: $ref: '#/components/examples/run_server_log_connector_response' runServiceNowITOMConnectorResponse: $ref: '#/components/examples/run_servicenow_itom_connector_response' runSlackConnectorResponse: $ref: '#/components/examples/run_slack_api_connector_response' runSwimlaneConnectorResponse: $ref: '#/components/examples/run_swimlane_connector_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Run a connector tags: - connectors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/actions/connectors: get: operationId: get-actions-connectors parameters: [] responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: auth_mode: description: The authentication mode used for the connector. enum: - shared - per-user type: string config: additionalProperties: nullable: true type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_connector_type_deprecated: description: Indicates whether the connector type is deprecated. type: boolean is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the connector.' type: string referenced_by_count: description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. type: number required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action - is_connector_type_deprecated - referenced_by_count type: array examples: getConnectorsResponse: $ref: '#/components/examples/get_connectors_response' description: Indicates a successful call. '403': description: Indicates that this call is forbidden. summary: Get all connectors tags: - connectors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/actions/connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/agent_builder/a2a/{agentId}: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/a2a/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. > warn > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-a2a-agentid parameters: - description: The unique identifier of the agent to send the A2A task to. in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: a2aTaskRequestExample: description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' value: id: task-123 jsonrpc: '2.0' method: complete params: messages: - content: Hello from A2A protocol role: user schema: {} responses: '200': content: application/json: examples: a2aTaskResponseExample: description: Example response from A2A Task Endpoint with results of task execution value: id: task-123 jsonrpc: '2.0' result: conversation_id: conv-456 response: message: Hello! How can I help you today? type: response description: Indicates a successful response summary: Send A2A task tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/a2a/{agentId}.json: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-a2a-agentid.json parameters: - description: The unique identifier of the agent to get A2A metadata for. in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: a2aAgentCardResponseExample: description: Example response card of Elastic AI Agent value: capabilities: pushNotifications: false stateTransitionHistory: false streaming: false defaultInputModes: - text/plain defaultOutputModes: - text/plain description: Elastic AI Agent name: Elastic AI Agent protocolVersion: 0.3.0 provider: organization: Elastic url: https://elastic.co securitySchemes: authorization: description: Authentication token in: header name: Authorization type: apiKey skills: - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. examples: [] id: platform.core.search inputModes: - text/plain - application/json name: platform.core.search outputModes: - text/plain - application/json tags: - tool supportsAuthenticatedExtendedCard: false url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent version: 0.1.0 description: Indicates a successful response summary: Get A2A agent card tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/a2a/{agentId}.json x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/agents: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-agents parameters: [] responses: '200': content: application/json: examples: listAgentsResponseExample: description: Example response that returns one built-in Elastic agent and one created by the user value: results: - configuration: tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Elastic AI Agent id: elastic-ai-agent name: Elastic AI Agent type: chat - avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper type: chat description: Indicates a successful response summary: List agents tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/agents" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/agents x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: post-agent-builder-agents parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: createAgentRequestExample: description: Example request for creating a custom agent with special prompt and tools value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper schema: additionalProperties: false type: object properties: avatar_color: description: Optional hex color code for the agent avatar. type: string avatar_symbol: description: Optional symbol/initials for the agent avatar. type: string configuration: additionalProperties: false description: Configuration settings for the agent. type: object properties: connector_ids: description: Array of connector IDs to associate with the agent. items: description: Connector ID to associate with the agent. type: string maxItems: 100 type: array enable_elastic_capabilities: description: When true, enables built-in Elastic capabilities for the agent. type: boolean instructions: description: Optional system instructions that define the agent behavior. type: string plugin_ids: description: Array of plugin IDs to assign to the agent. items: description: Plugin ID to assign to the agent. type: string maxItems: 100 type: array skill_ids: description: Array of skill IDs to be available to the agent. items: description: Skill ID to be available to the agent. type: string maxItems: 100 type: array tools: items: additionalProperties: false description: Tool selection configuration for the agent. type: object properties: tool_ids: description: Array of tool IDs that the agent can use. items: description: Tool ID to be available to the agent. type: string type: array required: - tool_ids type: array workflow_ids: items: description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. type: string maxItems: 100 type: array required: - tools description: description: Description of what the agent does. type: string id: description: Unique identifier for the agent. type: string labels: description: Optional labels for categorizing and organizing agents. items: description: Label for categorizing the agent. type: string type: array name: description: Display name for the agent. type: string visibility: description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' enum: - public - shared - private type: string required: - id - name - description - configuration responses: '200': content: application/json: examples: createAgentResponseExample: description: Example response returning the definition of an agent created as a result of the request value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper type: chat description: Indicates a successful response summary: Create an agent tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/agents" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "id": "new-agent-id", "name": "Search Index Helper", "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", "labels": ["custom-indices", "department-search"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [ { "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] } ] } }' - lang: Console source: | POST kbn://api/agent_builder/agents { "id": "new-agent-id", "name": "Search Index Helper", "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", "labels": ["custom-indices", "department-search"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [ { "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] } ] } } x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/agents/{agent_id}/consumption: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: post-agent-builder-agents-agent-id-consumption parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the agent. in: path name: agent_id required: true schema: type: string requestBody: content: application/json: examples: consumptionDefaultExample: description: Get consumption data for an agent with default pagination value: size: 25 sort_field: updated_at sort_order: desc consumptionFilteredExample: description: Get consumption data filtered by username with warnings value: has_warnings: true size: 10 sort_field: total_tokens sort_order: desc usernames: - elastic - admin schema: additionalProperties: false type: object properties: has_warnings: description: Filter to conversations with or without high-token warnings. type: boolean search: description: Free-text search filter on conversation title. type: string search_after: description: Cursor for pagination. Pass the search_after value from the previous response. items: nullable: true maxItems: 10000 type: array size: default: 25 description: Number of results per page. maximum: 100 minimum: 1 type: number sort_field: default: updated_at description: Field to sort results by. enum: - updated_at - total_tokens - round_count type: string sort_order: default: desc description: Sort direction. enum: - asc - desc type: string usernames: description: Filter results to conversations by these usernames. items: type: string maxItems: 10000 type: array responses: '200': content: application/json: examples: consumptionResponseExample: description: Example response with per-conversation token usage data value: aggregations: total_with_warnings: 0 usernames: - elastic - admin results: - conversation_id: conv-abc123 created_at: '2025-03-01T10:00:00Z' llm_calls: 8 round_count: 5 title: Help me search my data token_usage: input_tokens: 15000 output_tokens: 3000 total_tokens: 18000 updated_at: '2025-03-01T10:15:00Z' user: id: uid-1 username: elastic warnings: [] - conversation_id: conv-def456 created_at: '2025-03-02T14:00:00Z' llm_calls: 20 round_count: 12 title: Analyze server logs token_usage: input_tokens: 250000 output_tokens: 8000 total_tokens: 258000 updated_at: '2025-03-02T14:30:00Z' user: id: uid-2 username: admin warnings: - input_tokens: 250000 round_id: round-7 type: high_input_tokens search_after: - 1709391000000 - '2025-03-02T14:30:00Z' total: 2 description: Indicates a successful response summary: Get agent consumption data tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -H "elastic-api-version: 2023-10-31" \ -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' - lang: Console source: | POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/agents/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: delete-agent-builder-agents-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the agent to delete. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: deleteAgentResponseExample: description: Example response showing that deletion of the agent has been successful value: success: true description: Indicates a successful response summary: Delete an agent tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/agent_builder/agents/{id} x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-agents-id parameters: - description: The unique identifier of the agent to retrieve. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getAgentByIdResponseExample: description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Hi! I can help you search the data within the indices starting with "content-" prefix. id: created-agent-id labels: - custom-indices - department-search name: Search Index Helper type: chat description: Indicates a successful response summary: Get an agent by ID tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/agents/{id} x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. operationId: put-agent-builder-agents-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the agent to update. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: createAgentRequestExample: description: Example request for updating custom agent value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Updated description - Search for anything in "content-*" indices! id: created-agent-id labels: - custom-indices - department-search - elastic-employees name: Search Index Helper schema: additionalProperties: false type: object properties: avatar_color: description: Updated hex color code for the agent avatar. type: string avatar_symbol: description: Updated symbol/initials for the agent avatar. type: string configuration: additionalProperties: false description: Updated configuration settings for the agent. type: object properties: connector_ids: description: Array of connector IDs to associate with the agent. items: description: Connector ID to associate with the agent. type: string maxItems: 100 type: array enable_elastic_capabilities: description: When true, enables built-in Elastic capabilities for the agent. type: boolean instructions: description: Updated system instructions that define the agent behavior. type: string plugin_ids: description: Array of plugin IDs to assign to the agent. items: description: Plugin ID to assign to the agent. type: string maxItems: 100 type: array skill_ids: description: Array of skill IDs to be available to the agent. items: description: Skill ID to be available to the agent. type: string maxItems: 100 type: array tools: items: additionalProperties: false description: Tool selection configuration for the agent. type: object properties: tool_ids: description: Array of tool IDs that the agent can use. items: description: Tool ID to be available to the agent. type: string type: array required: - tool_ids type: array workflow_ids: items: description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. type: string maxItems: 100 type: array description: description: Updated description of what the agent does. type: string labels: description: Updated labels for categorizing and organizing agents. items: description: Updated label for categorizing the agent. type: string type: array name: description: Updated display name for the agent. type: string visibility: description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' enum: - public - shared - private type: string responses: '200': content: application/json: examples: updateAgentResponseExample: description: Example response returning the agent definition with the changes applied from the request value: avatar_color: '#BFDBFF' avatar_symbol: SI configuration: instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". tools: - tool_ids: - platform.core.search - platform.core.list_indices - platform.core.get_index_mapping - platform.core.get_document_by_id description: Updated description - Search for anything in "content-*" indices! id: created-agent-id labels: - custom-indices - department-search - elastic-employees name: Search Index Helper type: chat description: Indicates a successful response summary: Update an agent tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "name": "Search Index Helper", "description": "Updated description - Search for anything in \"content-*\" indices!", "labels": ["custom-indices", "department-search", "elastic-employees"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [{ "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] }] } }' - lang: Console source: | PUT kbn://api/agent_builder/agents/{id} { "name": "Search Index Helper", "description": "Updated description - Search for anything in \"content-*\" indices!", "labels": ["custom-indices", "department-search", "elastic-employees"], "avatar_color": "#BFDBFF", "avatar_symbol": "SI", "configuration": { "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", "tools": [{ "tool_ids": [ "platform.core.search", "platform.core.list_indices", "platform.core.get_index_mapping", "platform.core.get_document_by_id" ] }] } } x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/conversations: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations parameters: - description: Optional agent ID to filter conversations by a specific agent. in: query name: agent_id required: false schema: type: string responses: '200': content: application/json: examples: listConversationsResponseExample: description: Example response containing the list of conversations with all agents value: results: - agent_id: elastic-ai-agent created_at: '2025-09-19T17:45:39.554Z' id: bcc176c5-38f6-40be-be0c-898e34fa1480 title: General Greeting updated_at: '2025-09-19T17:45:39.554Z' user: username: elastic description: Indicates a successful response summary: List conversations tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/conversations x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/conversations/{conversation_id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a conversation by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:read. operationId: delete-agent-builder-conversations-conversation-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation to delete. in: path name: conversation_id required: true schema: type: string responses: '200': content: application/json: examples: deleteConversationResponseExample: description: Example response showing that deletion of conversation has been successful value: success: true description: Indicates a successful response summary: Delete conversation by ID tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/agent_builder/conversations/{conversation_id} x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations-conversation-id parameters: - description: The unique identifier of the conversation to retrieve. in: path name: conversation_id required: true schema: type: string responses: '200': content: application/json: examples: getConversationByIdResponseExample: description: Example response containing the contents of a convesation with the chat agent value: agent_id: elastic-ai-agent created_at: '2025-09-19T17:45:39.554Z' id: bcc176c5-38f6-40be-be0c-898e34fa1480 rounds: - id: 170ec3b2-0f5a-4538-8b60-549572386d2a input: message: Hello, how are you? response: message: |- Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? steps: [] title: General Greeting updated_at: '2025-09-19T17:45:39.554Z' user: username: elastic description: Indicates a successful response summary: Get conversation by ID tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/conversations/{conversation_id} x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/conversations/{conversation_id}/attachments: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations-conversation-id-attachments parameters: - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: Whether to include deleted attachments in the list. in: query name: include_deleted required: false schema: type: boolean responses: '200': content: application/json: examples: listAttachmentsResponseExample: description: Example response containing active attachments for a conversation value: results: - active: true current_version: 2 description: My text file id: attachment-1 type: text versions: - content_hash: abc123 created_at: '2025-01-01T10:00:00.000Z' data: Initial content estimated_tokens: 3 version: 1 - content_hash: def456 created_at: '2025-01-01T11:00:00.000Z' data: Updated content estimated_tokens: 3 version: 2 - active: true current_version: 1 description: Configuration data id: attachment-2 type: json versions: - content_hash: ghi789 created_at: '2025-01-01T12:00:00.000Z' data: key: value nested: field: 123 estimated_tokens: 15 version: 1 total_token_estimate: 21 description: Indicates a successful response summary: List conversation attachments tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-conversations-conversation-id-attachments parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string requestBody: content: application/json: examples: createHiddenAttachmentExample: description: Example request for creating a hidden attachment value: data: Internal system data description: System context hidden: true type: text createJsonAttachmentExample: description: Example request for creating a JSON attachment with custom ID value: data: configuration: enabled: true threshold: 50 metadata: source: user_input description: Application settings id: custom-attachment-id type: json createTextAttachmentExample: description: Example request for creating a text attachment value: data: This is the content of my text attachment description: Meeting notes type: text schema: additionalProperties: false type: object properties: data: description: The attachment data/content. Required unless origin is provided. nullable: true description: description: Human-readable description of the attachment. type: string hidden: description: Whether the attachment should be hidden from the user. type: boolean id: description: Optional custom ID for the attachment. type: string origin: description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. type: string type: description: The type of the attachment (e.g., text, esql, visualization). type: string required: - type - data responses: '200': content: application/json: examples: createAttachmentResponseExample: description: Example response returning the created attachment value: attachment: active: true current_version: 1 description: Meeting notes id: att-abc123 type: text versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: This is the content of my text attachment estimated_tokens: 12 version: 1 description: Indicates a successful response summary: Create conversation attachment tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to delete. in: path name: attachment_id required: true schema: type: string - description: If true, permanently removes the attachment (only for unreferenced attachments). in: query name: permanent required: false schema: type: boolean responses: '200': content: application/json: examples: permanentDeleteAttachmentResponseExample: description: Example response for permanent delete (cannot be restored) value: permanent: true success: true softDeleteAttachmentResponseExample: description: Example response for soft delete (can be restored) value: permanent: false success: true description: Indicates a successful response summary: Delete conversation attachment tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to rename. in: path name: attachment_id required: true schema: type: string requestBody: content: application/json: examples: renameAttachmentExample: description: Example request for renaming an attachment value: description: Updated attachment name schema: additionalProperties: false type: object properties: description: description: The new description/name for the attachment. type: string required: - description responses: '200': content: application/json: examples: renameAttachmentResponseExample: description: Example response returning the renamed attachment (version unchanged) value: attachment: active: true current_version: 1 description: Updated attachment name id: att-abc123 type: text versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: Content remains the same estimated_tokens: 10 version: 1 success: true description: Indicates a successful response summary: Rename attachment tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to update. in: path name: attachment_id required: true schema: type: string requestBody: content: application/json: examples: updateAttachmentContentExample: description: Example request for updating attachment content value: data: This is the updated content updateAttachmentWithDescriptionExample: description: Example request for updating both content and description value: data: New content version description: Updated meeting notes - v2 schema: additionalProperties: false type: object properties: data: description: The new attachment data/content. nullable: true description: description: Optional new description for the attachment. type: string required: - data responses: '200': content: application/json: examples: updateAttachmentResponseExample: description: Example response returning the updated attachment with new version value: attachment: active: true current_version: 2 description: Meeting notes id: att-abc123 type: text versions: - content_hash: sha256-abc created_at: '2025-01-06T10:00:00.000Z' data: Original content estimated_tokens: 10 version: 1 - content_hash: sha256-def created_at: '2025-01-06T11:00:00.000Z' data: This is the updated content estimated_tokens: 12 version: 2 new_version: 2 description: Indicates a successful response summary: Update conversation attachment tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to restore. in: path name: attachment_id required: true schema: type: string responses: '200': content: application/json: examples: restoreAttachmentResponseExample: description: Example response returning the restored attachment value: attachment: active: true current_version: 1 description: Restored attachment id: att-abc123 type: text versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: Restored content estimated_tokens: 10 version: 1 success: true description: Indicates a successful response summary: Restore deleted attachment tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string - description: The unique identifier of the attachment to update. in: path name: attachment_id required: true schema: type: string requestBody: content: application/json: examples: updateOriginExample: description: Example request for linking an attachment to a saved visualization value: origin: abc123 schema: additionalProperties: false type: object properties: origin: description: The origin string (e.g., saved object ID for visualizations and dashboards). type: string required: - origin responses: '200': content: application/json: examples: updateOriginResponseExample: description: Example response returning the attachment with updated origin value: attachment: active: true current_version: 1 description: Sales chart id: att-123 origin: abc123 type: visualization versions: - content_hash: sha256-xyz created_at: '2025-01-06T10:00:00.000Z' data: chart_type: bar esql: FROM sales | STATS count=COUNT(*) BY month query: Show monthly sales visualization: {} estimated_tokens: 50 version: 1 success: true description: Indicates a successful response summary: Update attachment origin tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/conversations/{conversation_id}/attachments/stale: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-conversations-conversation-id-attachments-stale parameters: - description: The unique identifier of the conversation. in: path name: conversation_id required: true schema: type: string responses: '200': content: application/json: examples: checkStaleAttachmentsResponseExample: description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' value: attachments: - id: att-text-meeting-notes is_stale: false - id: att-lens-active-users is_stale: false - error: Origin could not be resolved id: att-query-attachment is_stale: false - data: This is the content of my text attachment hidden: false id: att-text-runbook is_stale: true origin: document:hr-onboarding-v2 type: text description: Indicates a successful response summary: Check attachment staleness tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/converse: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/converse
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-converse parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: converseRequestExample: description: Example request to send a message to the agent as a part of the conversation value: agent_id: elastic-ai-agent connector_id: my-connector-id input: What is Elasticsearch? converseRequestInferenceExample: description: Example using inference_id (mutually exclusive with connector_id) value: agent_id: elastic-ai-agent inference_id: my-inference-endpoint-id input: What is Elasticsearch? schema: additionalProperties: false type: object properties: _execution_mode: description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' enum: - local - task_manager type: string action: description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. enum: - regenerate type: string agent_id: default: elastic-ai-agent description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. type: string attachments: description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' items: additionalProperties: false type: object properties: data: additionalProperties: nullable: true description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). type: object hidden: description: When true, the attachment will not be displayed in the UI. type: boolean id: description: Optional id for the attachment. type: string origin: description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. type: string type: description: Type of the attachment. type: string required: - type type: array browser_api_tools: description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. items: additionalProperties: false type: object properties: description: description: Description of what the browser API tool does. type: string id: description: Unique identifier for the browser API tool. type: string schema: description: JSON Schema defining the tool parameters (JsonSchema7Type). nullable: true required: - id - description - schema type: array capabilities: additionalProperties: false description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. type: object properties: visualizations: description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. type: boolean configuration_overrides: additionalProperties: false description: Runtime configuration overrides. These override the stored agent configuration for this execution only. type: object properties: instructions: description: Custom instructions for the agent. type: string tools: description: Tool selection to enable for this execution. items: additionalProperties: false type: object properties: tool_ids: items: type: string type: array required: - tool_ids type: array connector_id: description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. nullable: true type: string conversation_id: description: Optional existing conversation ID to continue a previous conversation. type: string inference_id: description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. nullable: true type: string input: description: The user input message to send to the agent. type: string prompts: additionalProperties: additionalProperties: false type: object properties: allow: type: boolean required: - allow description: Can be used to respond to a confirmation prompt. type: object responses: '200': content: application/json: examples: converseResponseExample: description: Example response containing the chain of events representing a conversation with the agent value: conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 response: message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. steps: - reasoning: Searching for official documentation or content that explains what Elasticsearch is type: reasoning - params: query: what is elasticsearch definition overview introduction progression: - message: Selecting the best target for this query results: - data: message: Could not figure out which index to use type: error tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ tool_id: platform.core.search type: tool_call description: Indicates a successful response summary: Send chat message tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/converse" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "input": "What is Elasticsearch?", "agent_id": "elastic-ai-agent"}' - lang: Console source: | POST kbn://api/agent_builder/converse { "input": "What is Elasticsearch?", "agent_id": "elastic-ai-agent" } x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/converse/async: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/converse/async
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. ## Event types The endpoint emits Server-Sent Events (SSE) with the following custom event types: `conversation_id_set` Sets the conversation ID. Schema: ```json { "conversation_id": "uuid" } ``` --- `conversation_created` Fires when a new conversation is persisted and assigned an ID. Schema: ```json { "conversation_id": "uuid", "title": "conversation title" } ``` --- `conversation_updated` Fires when a conversation is updated. Schema: ```json { "conversation_id": "uuid", "title": "updated conversation title" } ``` --- `reasoning` Handles reasoning-related data. Schema: ```json { "reasoning": "plain text reasoning content", "transient": false } ``` --- `tool_call` Triggers when a tool is invoked. Schema: ```json { "tool_call_id": "uuid", "tool_id": "tool_name", "params": {} } ``` --- `tool_progress` Reports progress of a running tool. Schema: ```json { "tool_call_id": "uuid", "message": "progress message" } ``` --- `tool_result` Returns results from a completed tool call. Schema: ```json { "tool_call_id": "uuid", "tool_id": "tool_name", "results": [] } ``` **Note:** `results` is an array of `ToolResult` objects. --- `message_chunk` Streams partial text chunks. Schema: ```json { "message_id": "uuid", "text_chunk": "partial text" } ``` --- `message_complete` Indicates message stream is finished. Schema: ```json { "message_id": "uuid", "message_content": "full text content of the message" } ``` --- `thinking_complete` Marks the end of the thinking/reasoning phase. Schema: ```json { "time_to_first_token": 0 } ``` **Note:** `time_to_first_token` is in milliseconds. --- `round_complete` Marks end of one conversation round. Schema: ```json { "round": {} } ``` **Note:** `round` contains the full round json object. --- ## Event flow A typical conversation round emits events in this sequence: 1. `reasoning` (potentially multiple, some transient) 2. `tool_call` (if tools are used) 3. `tool_progress` (zero or more progress updates) 4. `tool_result` (when tool completes) 5. `thinking_complete` 6. `message_chunk` (multiple, as text streams) 7. `message_complete` 8. `round_complete`

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-converse-async parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: converseAsyncRequestExample: description: Example request to send a message to the agent as a part of the conversation value: agent_id: elastic-ai-agent conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 input: Hello converseAsyncRequestInferenceExample: description: Example using inference_id (mutually exclusive with connector_id) value: agent_id: elastic-ai-agent inference_id: my-inference-endpoint-id input: Hello schema: additionalProperties: false type: object properties: _execution_mode: description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' enum: - local - task_manager type: string action: description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. enum: - regenerate type: string agent_id: default: elastic-ai-agent description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. type: string attachments: description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' items: additionalProperties: false type: object properties: data: additionalProperties: nullable: true description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). type: object hidden: description: When true, the attachment will not be displayed in the UI. type: boolean id: description: Optional id for the attachment. type: string origin: description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. type: string type: description: Type of the attachment. type: string required: - type type: array browser_api_tools: description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. items: additionalProperties: false type: object properties: description: description: Description of what the browser API tool does. type: string id: description: Unique identifier for the browser API tool. type: string schema: description: JSON Schema defining the tool parameters (JsonSchema7Type). nullable: true required: - id - description - schema type: array capabilities: additionalProperties: false description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. type: object properties: visualizations: description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. type: boolean configuration_overrides: additionalProperties: false description: Runtime configuration overrides. These override the stored agent configuration for this execution only. type: object properties: instructions: description: Custom instructions for the agent. type: string tools: description: Tool selection to enable for this execution. items: additionalProperties: false type: object properties: tool_ids: items: type: string type: array required: - tool_ids type: array connector_id: description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. nullable: true type: string conversation_id: description: Optional existing conversation ID to continue a previous conversation. type: string inference_id: description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. nullable: true type: string input: description: The user input message to send to the agent. type: string prompts: additionalProperties: additionalProperties: false type: object properties: allow: type: boolean required: - allow description: Can be used to respond to a confirmation prompt. type: object responses: '200': content: text/event-stream: examples: converseAsyncResponseExample: description: Example stream containing the chain of events representing a conversation with the agent value: - data: data: conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 event: conversation_id_set - data: data: reasoning: Starting with a general search to understand what content is available. event: reasoning - data: data: params: query: latest documents tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg tool_id: platform.core.search event: tool_call - data: data: results: - data: message: Could not figure out which index to use type: error tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg event: tool_result - data: data: round: id: a5692d54-bc06-4a6e-aea1-412779c73f66 input: message: Hello response: message: Hello! How can I help you today? event: round_complete description: Indicates a successful response summary: Send chat message (streaming) tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "input": "Hello again let us have an async chat", "agent_id": "elastic-ai-agent", "conversation_id": "" }' - lang: Console source: | POST kbn://api/agent_builder/converse/async { "input": "Hello again let's have an async chat", "agent_id": "elastic-ai-agent", "conversation_id": "" } x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/mcp: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/mcp
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. > warn > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. To learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-mcp parameters: - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. in: query name: namespace required: false schema: type: string requestBody: content: application/json: examples: mcpInitializeRequestExample: description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' value: id: 1 jsonrpc: '2.0' method: initialize params: capabilities: {} clientInfo: name: test-client version: 1.0.0 protocolVersion: '2024-11-05' schema: {} responses: '200': content: application/json: examples: mcpInitializeResponseExample: description: Example response showing the successful result of communication initialisation over MCP protocol value: id: 1 jsonrpc: '2.0' result: capabilities: tools: listChanged: true protocolVersion: '2024-11-05' serverInfo: name: elastic-mcp-server version: 0.0.1 description: Indicates a successful response summary: MCP server tags: - agent builder x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/plugins: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/plugins
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-plugins parameters: [] responses: '200': content: application/json: examples: listPluginsResponseExample: description: Example response that returns one installed plugin value: results: - created_at: '2025-01-01T00:00:00.000Z' description: Financial analysis tools and skills for Claude id: financial-analysis manifest: author: name: Anthropic url: https://www.anthropic.com keywords: - finance - analysis repository: https://github.com/anthropics/financial-services-plugins name: financial-analysis skill_ids: - financial-analysis-analyze-portfolio source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis unmanaged_assets: agents: [] hooks: [] lsp_servers: [] mcp_servers: [] output_styles: [] updated_at: '2025-01-01T00:00:00.000Z' version: 1.0.0 description: Indicates a successful response summary: List plugins tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/plugins x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/plugins/{pluginId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an installed plugin by ID. This action cannot be undone.

[Required authorization] Route required privileges: agentBuilder:write. operationId: delete-agent-builder-plugins-pluginid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the plugin. in: path name: pluginId required: true schema: type: string - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. in: query name: force required: false schema: default: false type: boolean responses: '200': content: application/json: examples: deletePluginResponseExample: description: Example response showing that deletion of the plugin has been successful value: success: true description: Indicates a successful response summary: Delete a plugin tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/agent_builder/plugins/{id} x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific plugin by ID.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-plugins-pluginid parameters: - description: The unique identifier of the plugin. in: path name: pluginId required: true schema: type: string responses: '200': content: application/json: examples: getPluginByIdResponseExample: description: Example response returning a single installed plugin value: created_at: '2025-01-01T00:00:00.000Z' description: Financial analysis tools and skills for Claude id: financial-analysis manifest: author: name: Anthropic url: https://www.anthropic.com keywords: - finance - analysis repository: https://github.com/anthropics/financial-services-plugins name: financial-analysis skill_ids: - financial-analysis-analyze-portfolio source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis unmanaged_assets: agents: [] hooks: [] lsp_servers: [] mcp_servers: [] output_styles: [] updated_at: '2025-01-01T00:00:00.000Z' version: 1.0.0 description: Indicates a successful response summary: Get a plugin by id tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/agent_builder/plugins/{id} x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/plugins/install: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/plugins/install
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.

[Required authorization] Route required privileges: agentBuilder:write. operationId: post-agent-builder-plugins-install parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: installPluginFromGithubExample: description: Example request for installing a plugin from a GitHub URL value: url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis installPluginFromZipExample: description: Example request for installing a plugin from a direct zip URL value: url: https://my-server.example.com/my-plugin.zip installPluginWithNameOverrideExample: description: Example request for installing a plugin with a custom name value: plugin_name: my-custom-plugin-name url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis schema: additionalProperties: false type: object properties: plugin_name: description: Optional name override for the plugin. Defaults to the manifest name. type: string url: description: URL to install the plugin from (GitHub URL or direct zip URL). type: string required: - url responses: '200': content: application/json: examples: installPluginResponseExample: description: Example response returning the definition of the installed plugin value: created_at: '2025-01-01T00:00:00.000Z' description: Financial analysis tools and skills for Claude id: financial-analysis manifest: author: name: Anthropic url: https://www.anthropic.com keywords: - finance - analysis repository: https://github.com/anthropics/financial-services-plugins name: financial-analysis skill_ids: - financial-analysis-analyze-portfolio source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis unmanaged_assets: agents: [] hooks: [] lsp_servers: [] mcp_servers: [] output_styles: [] updated_at: '2025-01-01T00:00:00.000Z' version: 1.0.0 description: Indicates a successful response summary: Install a plugin tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" }' - lang: Console source: | POST kbn://api/agent_builder/plugins/install { "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" } x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/skills: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/skills
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all available skills (built-in and user-created).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-skills parameters: - description: Set to true to include skills from plugins. in: query name: include_plugins required: false schema: default: false type: boolean responses: {} summary: List skills tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/skills
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new user-defined skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. operationId: post-agent-builder-skills parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: content: description: Skill instructions content (markdown). type: string description: description: Description of what the skill does. type: string id: description: Unique identifier for the skill. type: string name: description: Human-readable name for the skill. type: string referenced_content: items: additionalProperties: false type: object properties: content: description: Content of the reference. type: string name: description: Name of the referenced content. type: string relativePath: description: Relative path of the referenced content. type: string required: - name - relativePath - content maxItems: 100 type: array tool_ids: default: [] description: Tool IDs from the tool registry that this skill references. items: description: Tool ID from the tool registry. type: string maxItems: 100 type: array required: - id - name - description - content responses: {} summary: Create a skill tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/skills/{skillId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/skills/{skillId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.

[Required authorization] Route required privileges: agentBuilder:manageSkills. operationId: delete-agent-builder-skills-skillid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the skill. in: path name: skillId required: true schema: maxLength: 512 minLength: 1 type: string - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. in: query name: force required: false schema: default: false type: boolean responses: '200': content: application/json: examples: deleteSkillResponseExample: description: Example response showing that the deletion operation was successful value: success: true description: Indicates a successful response summary: Delete a skill tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn:/api/agent_builder/skills/{skillId} x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/skills/{skillId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific skill by ID.

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-skills-skillid parameters: - description: The unique identifier of the skill. in: path name: skillId required: true schema: maxLength: 512 minLength: 1 type: string responses: {} summary: Get a skill by id tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/skills/{skillId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing user-created skill.

[Required authorization] Route required privileges: agentBuilder:manageSkills. operationId: put-agent-builder-skills-skillid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the skill. in: path name: skillId required: true schema: maxLength: 512 minLength: 1 type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: content: description: Updated skill instructions content. type: string description: description: Updated description. type: string name: description: Updated name for the skill. type: string referenced_content: items: additionalProperties: false type: object properties: content: description: Content of the reference. type: string name: description: Name of the referenced content. type: string relativePath: description: Relative path of the referenced content. type: string required: - name - relativePath - content maxItems: 100 type: array tool_ids: description: Updated tool IDs from the tool registry. items: description: Updated tool ID. type: string maxItems: 100 type: array responses: {} summary: Update a skill tags: - agent builder x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/tools: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/tools
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-tools parameters: [] responses: '200': content: application/json: examples: listToolsResponseExample: description: Example response returning a list of existing tools value: results: - configuration: {} description: |- A powerful tool for searching and analyzing data within your Elasticsearch cluster. It supports both full-text relevance searches and structured analytical queries. Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. Examples of queries: - "find articles about serverless architecture" - "search for support tickets mentioning 'billing issue' or 'refund request'" - "what is our policy on parental leave?" - "list all products where the category is 'electronics'" - "show me the last 5 documents from that index" - "show me the sales over the last year break down by month" Note: - The 'index' parameter can be used to specify which index to search against. If not provided, the tool will decide itself which is the best index to use. - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already know about the index and fields you want to search on, e.g. if the user explicitly specified it. id: platform.core.search readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: index: description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. type: string query: description: A natural language query expressing the search request type: string required: - query tags: [] type: builtin - configuration: {} description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. id: platform.core.get_document_by_id readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: id: description: ID of the document to retrieve type: string index: description: Name of the index to retrieve the document from type: string required: - id - index tags: [] type: builtin - configuration: {} description: |- Execute an ES|QL query and return the results in a tabular format. **IMPORTANT**: This tool only **runs** queries; it does not write them. Think of this as the final step after a query has been prepared. You **must** get the query from one of two sources before calling this tool: 1. The output of the `platform.core.generate_esql` tool (if the tool is available). 2. A verbatim query provided directly by the user. Under no circumstances should you invent, guess, or modify a query yourself for this tool. If you need a query, use the `platform.core.generate_esql` tool first. id: platform.core.execute_esql readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: query: description: The ES|QL query to execute type: string required: - query tags: [] type: builtin - configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string required: - startTime - limit tags: - analytics - finance type: esql - configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance type: index_search description: Indicates a successful response summary: List tools tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn:/api/agent_builder/tools x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/tools
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. operationId: post-agent-builder-tools parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: createEsqlToolRequest: description: Example request to create an ESQL query tool with a pre-defined query value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool tags: - analytics - finance type: esql createIndexSearchToolRequest: description: Example request to create an index_search tool with a pre-defined index pattern value: configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool tags: - search - finance type: index_search schema: additionalProperties: false type: object properties: configuration: additionalProperties: nullable: true description: Tool-specific configuration parameters. See examples for details. type: object description: default: '' description: Description of what the tool does. type: string id: description: Unique identifier for the tool. type: string tags: default: [] description: Optional tags for categorizing and organizing tools. items: description: Tag for categorizing the tool. type: string type: array type: description: The type of tool to create (e.g., esql, index_search). enum: - esql - index_search - workflow - mcp type: string required: - id - type - configuration responses: '200': content: application/json: examples: createEsqlToolExample: description: Example response returning a definition of ESQL tool created value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string required: - startTime - limit tags: - analytics - finance type: esql createIndexSearchToolExample: description: Example response returning a definition of search tool tool created value: configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance type: index_search description: Indicates a successful response summary: Create a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "id": "example-esql-tool", "type": "esql", "description": "Example ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } }' - lang: Console source: | POST kbn:/api/agent_builder/tools { "id": "example-esql-tool", "type": "esql", "description": "An ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance", "updated"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } } x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/tools/_execute: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/agent_builder/tools/_execute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. operationId: post-agent-builder-tools-execute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: executeBuiltinEsqlToolRequest: description: Example request executing platform.core.execute_esql tool value: tool_id: platform.core.execute_esql tool_params: query: FROM financial_trades | LIMIT 3 executeBuiltinToolRequest: description: Example request executing platform.core.get_document_by_id tool value: tool_id: platform.core.get_document_by_id tool_params: id: TRD-20250805-0820a89f index: financial_trades executeCustomEsqlToolRequest: description: Example request executing custom example-esql-tool tool value: tool_id: example-esql-tool tool_params: limit: 3 startTime: '2024-01-01T00:00:00Z' executeIndexSearchToolRequest: description: Example request executing custom example-index-search-tool tool value: tool_id: example-index-search-tool tool_params: nlQuery: find trades with high execution prices above 100 schema: additionalProperties: false type: object properties: connector_id: description: Optional connector ID for tools that require external integrations. type: string tool_id: description: The ID of the tool to execute. type: string tool_params: additionalProperties: nullable: true description: Parameters to pass to the tool execution. See examples for details type: object required: - tool_id - tool_params responses: '200': content: application/json: examples: executeBuiltinEsqlToolExample: description: Example response calling built-in platform.core.execute_esql tool value: results: - data: esql: FROM financial_trades | LIMIT 3 type: query - data: columns: - name: account_id type: keyword - name: execution_price type: double - name: symbol type: keyword - name: trade_type type: keyword query: FROM financial_trades | LIMIT 3 source: esql values: - - ACC00179-1f91 - 43.77000045776367 - CVX - sell - - ACC00407-0bbb - 660.4199829101562 - V - buy - - ACC00179-1f91 - 440.3599853515625 - KO - buy tool_result_id: xTpT type: esql_results executeBuiltinToolExample: description: Example response calling built-in platform.core.get_document_by_id tool value: results: - data: content: account_id: ACC00271-fb5c execution_price: 488.54 execution_timestamp: '2025-08-05T08:04:11.649855' last_updated: '2025-09-15T13:23:36' order_status: executed order_type: market quantity: 131 status_reason: fully_filled symbol: EWL trade_cost: 63998.74 trade_id: TRD-20250805-0820a89f trade_type: sell partial: false reference: id: TRD-20250805-0820a89f index: financial_trades type: resource executeCustomEsqlToolExample: description: Example response calling custom example-esql-tool tool value: results: - data: columns: - name: trade_count type: long - name: avg_price type: double - name: symbol type: keyword query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit source: esql values: - - 2115 - 89.33911587329621 - US_T_BOND_20YR - - 2112 - 104.20854155945055 - INTL_CORP_ASIA_D - - 2105 - 89.93244177666526 - INTL_CORP_EU_B tool_result_id: Voy8 type: esql_results executeIndexSearchToolExample: description: Example response calling custom example-index-search-tool tool value: results: - data: esql: |- FROM financial_trades | WHERE execution_price > 100 | LIMIT 100 type: query - data: columns: - name: account_id type: keyword - name: execution_price type: double - name: execution_timestamp type: date - name: symbol type: keyword - name: trade_type type: keyword query: |- FROM financial_trades | WHERE execution_price > 100 | LIMIT 100 source: esql values: - - ACC00407-0bbb - 660.4199829101562 - '2020-09-25T11:06:08.687Z' - V - buy - - ACC00179-1f91 - 440.3599853515625 - '2025-08-07T21:56:45.377Z' - KO - buy - - ACC00407-0bbb - 132.8800048828125 - '2020-11-19T04:39:13.655Z' - JAP_JGB_10YR - sell tool_result_id: uE8y type: esql_results description: Indicates a successful response summary: Run a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "tool_id": "platform.core.search", "tool_params": { "query": "can you find john doe's email from the employee index?"} } }' - lang: Console source: | POST kbn:/api/agent_builder/tools/_execute { "tool_id": "platform.core.search", "tool_params": { "query": "can you find john doe's email from the employee index?" } } x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/agent_builder/tools/{toolId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. operationId: delete-agent-builder-tools-toolid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the tool to delete. in: path name: toolId required: true schema: type: string - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. in: query name: force required: false schema: default: false type: boolean responses: '200': content: application/json: examples: deleteAgentResponseExample: description: Example response showing that the deletion operation was successful value: success: true description: Indicates a successful response summary: Delete a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn:/api/agent_builder/tools/{toolId} x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. operationId: get-agent-builder-tools-toolid parameters: - description: The unique identifier of the tool to retrieve. in: path name: toolId required: true schema: type: string responses: '200': content: application/json: examples: getBuiltinToolExample: description: Example response returning built-in platform.core.search tool value: configuration: {} description: |- A powerful tool for searching and analyzing data within your Elasticsearch cluster. It supports both full-text relevance searches and structured analytical queries. Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. Examples of queries: - "find articles about serverless architecture" - "search for support tickets mentioning 'billing issue' or 'refund request'" - "what is our policy on parental leave?" - "list all products where the category is 'electronics'" - "show me the last 5 documents from that index" - "show me the sales over the last year break down by month" Note: - The 'index' parameter can be used to specify which index to search against. If not provided, the tool will decide itself which is the best index to use. - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already know about the index and fields you want to search on, e.g. if the user explicitly specified it. id: platform.core.search readonly: true schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: index: description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. type: string query: description: A natural language query expressing the search request type: string required: - query tags: [] type: builtin getEsqlToolExample: description: Example response returning custom example-esql-tool tool value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Example ES|QL query tool for analyzing financial trades with time filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string required: - startTime - limit tags: - analytics - finance type: esql getIndexSearchToolExample: description: Example response returning custom example-index-search-tool tool value: configuration: pattern: financial_* description: Search tool specifically for financial data analysis and reporting id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance type: index_search description: Indicates a successful response summary: Get a tool by id tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn:/api/agent_builder/tools/{toolId} x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. operationId: put-agent-builder-tools-toolid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the tool to update. in: path name: toolId required: true schema: type: string requestBody: content: application/json: examples: updateEsqlToolRequest: description: Example request to update the custom ESQL tool value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date symbolPattern: description: Pattern to filter symbols (e.g., 'US_*' for US instruments) type: keyword query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering tags: - analytics - finance - reporting updateIndexSearchToolRequest: description: Example request to update the custom Search tool value: description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring tags: - search - finance - compliance - reporting schema: additionalProperties: false type: object properties: configuration: additionalProperties: nullable: true description: Updated tool-specific configuration parameters. See examples for details. type: object description: description: Updated description of what the tool does. type: string tags: description: Updated tags for categorizing and organizing tools. items: description: Updated tag for categorizing the tool. type: string type: array responses: '200': content: application/json: examples: updateEsqlToolExample: description: Example response showing the updated ESQL tool value: configuration: params: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format type: date symbolPattern: description: Pattern to filter symbols (e.g., 'US_*' for US instruments) type: keyword query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering id: example-esql-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false description: Parameters needed to execute the enhanced query type: object properties: limit: description: Maximum number of results to return type: integer startTime: description: Start time for the analysis in ISO format format: date-time type: string symbolPattern: description: Pattern to filter symbols (e.g., 'US_*' for US instruments) type: string required: - startTime - symbolPattern - limit tags: - analytics - finance - reporting type: esql updateIndexSearchToolExample: description: Example response showing the updated Search tool value: configuration: pattern: financial_* description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring id: example-index-search-tool readonly: false schema: $schema: http://json-schema.org/draft-07/schema# additionalProperties: false type: object properties: nlQuery: description: A natural language query expressing the search request type: string required: - nlQuery tags: - search - finance - compliance - reporting type: index_search description: Indicates a successful response summary: Update a tool tags: - agent builder x-codeSamples: - lang: curl source: | curl \ -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance", "updated"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } }' - lang: Console source: | PUT kbn:/api/agent_builder/tools/{toolId} { "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", "tags": ["analytics", "finance", "updated"], "configuration": { "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", "params": { "startTime": { "type": "date", "description": "Start time for the analysis in ISO format" }, "limit": { "type": "integer", "description": "Maximum number of results to return" } } } } x-state: '' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/alerting/rule/{id}: delete: operationId: delete-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Delete a rule tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: operationId: get-alerting-rule-id parameters: - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getRuleResponse: description: A response that contains information about an index threshold rule. summary: Get an index threshold rule value: actions: [] api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true id: 3583a470-74f6-11ed-9801-35303b735aef mute_all: false muted_alert_ids: [] name: my alert notify_when: onActionGroupChange params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu throttle: null updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: nullable: true type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: nullable: true description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Get rule details tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: operationId: post-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. If it is omitted, an ID is randomly generated. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: createEsQueryEsqlRuleRequest: description: | Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. summary: Elasticsearch query rule (ES|QL) value: actions: - frequency: notify_when: onActiveAlert summary: false group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} consumer: stackAlerts name: my Elasticsearch query ESQL rule params: esqlQuery: esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 searchType: esqlQuery size: 0 threshold: - 0 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d rule_type_id: .es-query schedule: interval: 1d createEsQueryKqlRuleRequest: description: Create an Elasticsearch query rule that uses Kibana query language (KQL). summary: Elasticsearch query rule (KQL) value: consumer: alerts name: my Elasticsearch query KQL rule params: aggType: count excludeHitsFromPreviousRun: true groupBy: all searchConfiguration: index: 90943e30-9a47-11e8-b64d-95841ca0b247 query: language: kuery query: '""geo.src : "US" ""' searchType: searchSource size: 100 threshold: - 1000 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m rule_type_id: .es-query schedule: interval: 1m createEsQueryRuleRequest: description: | Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. summary: Elasticsearch query rule (DSL) value: actions: - frequency: notify_when: onThrottleInterval summary: true throttle: 1d group: query matched id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - frequency: notify_when: onActionGroupChange summary: false group: recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: Recovered consumer: alerts name: my Elasticsearch query rule params: esQuery: '"""{"query":{"match_all" : {}}}"""' index: - kibana_sample_data_logs size: 100 threshold: - 100 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d rule_type_id: .es-query schedule: interval: 1d createIndexThresholdRuleRequest: description: | Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. summary: Index threshold rule value: actions: - frequency: notify_when: onActionGroupChange summary: false group: threshold met id: 48de3460-f401-11ed-9f8e-399c75a2deeb params: level: info message: |- Rule '{{rule.name}}' is active for group '{{context.group}}': - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} alert_delay: active: 3 consumer: alerts name: my rule params: aggField: sheet.version aggType: avg groupBy: top index: - .test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu createTrackingContainmentRuleRequest: description: | Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. summary: Tracking containment rule value: consumer: alerts name: my tracking rule params: boundaryGeoField: location boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc boundaryIndexTitle: boundary* boundaryNameField: name boundaryType: entireIndex dateField": '@timestamp' entity: agent.keyword geoField: geo.coordinates index: kibana_sample_data_logs indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 rule_type_id: .geo-containment schedule: interval: 1h schema: anyOf: - discriminator: mapping: .es-query: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' .geo-containment: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' .index-threshold: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' apm.anomaly: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' apm.error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' apm.transaction_duration: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' apm.transaction_error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' datasetQuality.degradedDocs: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' logs.alert.document.count: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' metrics.alert.inventory.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' metrics.alert.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' monitoring_alert_cluster_health: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' monitoring_alert_cpu_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' monitoring_alert_disk_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' monitoring_alert_elasticsearch_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' monitoring_alert_jvm_memory_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' monitoring_alert_kibana_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' monitoring_alert_license_expiration: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' monitoring_alert_logstash_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' monitoring_alert_missing_monitoring_data: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' monitoring_alert_nodes_changed: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' monitoring_alert_thread_pool_search_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' monitoring_alert_thread_pool_write_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' monitoring_ccr_read_exceptions: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' monitoring_shard_size: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' observability.rules.custom_threshold: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' slo.rules.burnRate: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' transform_health: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' xpack.ml.anomaly_detection_alert: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' xpack.ml.anomaly_detection_jobs_health: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' xpack.synthetics.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' xpack.synthetics.alerts.tls: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' xpack.uptime.alerts.durationAnomaly: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' xpack.uptime.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' xpack.uptime.alerts.tlsCertificate: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' propertyName: rule_type_id oneOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' - additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: nullable: true default: {} description: The parameters for the rule. type: object rule_type_id: description: The rule type identifier. type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id responses: '200': content: application/json: examples: createEsQueryEsqlRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). summary: Elasticsearch query rule (ES|QL) value: actions: - connector_type_id: .server-log frequency: notify_when: onActiveAlert summary: false throttle: null group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} uuid: bfe370a3-531b-4855-bbe6-ad739f578844 api_key_created_by_user: false api_key_owner: elastic consumer: stackAlerts created_at: '2023-11-01T19:00:10.453Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-11-01T19:00:10.453Z' status: pending id: e0d62360-78e8-11ee-9177-f7d404c8c945 mute_all: false muted_alert_ids: [] name: my Elasticsearch query ESQL rule notify_when: null params: aggType: count esqlQuery: esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 excludeHitsFromPreviousRun": true, groupBy: all searchType: esqlQuery size: 0 threshold: - 0 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d revision: 0 rule_type_id: .es-query running: false schedule: interval: 1d scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 tags: [] throttle: null updated_at: '2023-11-01T19:00:10.453Z' updated_by: elastic", createEsQueryKqlRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). summary: Elasticsearch query rule (KQL) value: actions: [] api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2023-07-14T20:24:50.729Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-07-14T20:24:50.729Z' status: pending id: 7bd506d0-2284-11ee-8fad-6101956ced88 mute_all: false muted_alert_ids: [] name: my Elasticsearch query KQL rule" notify_when: null params: aggType: count excludeHitsFromPreviousRun: true groupBy: all searchConfiguration: index: 90943e30-9a47-11e8-b64d-95841ca0b247 query: language: kuery query: '""geo.src : "US" ""' searchType: searchSource size: 100 threshold: - 1000 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .es-query running: false schedule: interval: 1m scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 tags: [] throttle: null updated_at: '2023-07-14T20:24:50.729Z' updated_by: elastic createEsQueryRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). summary: Elasticsearch query rule (DSL) value: actions: - connector_type_id: .server-log frequency: notify_when: onThrottleInterval summary: true throttle: 1d group: query matched id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: Recovered uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2023-08-22T00:03:38.263Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-08-22T00:03:38.263Z' status: pending id: 58148c70-407f-11ee-850e-c71febc4ca7f mute_all: false muted_alert_ids: [] name: my Elasticsearch query rule notify_when: null params: aggType: count esQuery: '"""{"query":{"match_all" : {}}}"""' excludeHitsFromPreviousRun: true groupBy: all index: - kibana_sample_data_logs searchType: esQuery size: 100 threshold: - 100 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d revision: 0 rule_type_id: .es-query running: false schedule: interval: 1d scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f tags: [] throttle: null updated_at: '2023-08-22T00:03:38.263Z' updated_by: elastic createIndexThresholdRuleResponse: description: The response for successfully creating an index threshold rule. summary: Index threshold rule value: actions: - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group} : - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d alert_delay: active: 3 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2022-06-08T17:20:31.632Z' created_by: elastic enabled: true execution_status: last_execution_date: '2022-06-08T17:20:31.632Z' status: pending id: 41893910-6bca-11eb-9e0d-85d233e3ee35 mute_all: false muted_alert_ids: [] name: my rule notify_when: null params: aggField: sheet.version aggType: avg groupBy: top index: - .test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold running: false schedule: interval: 1m scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 tags: - cpu throttle: null updated_at: '2022-06-08T17:20:31.632Z' updated_by: elastic createTrackingContainmentRuleResponse: description: The response for successfully creating a tracking containment rule. summary: Tracking containment rule value: actions: [] api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2024-02-14T19:52:55.920Z' created_by: elastic enabled: true execution_status: last_duration: 74 last_execution_date: '2024-02-15T03:25:38.125Z' status: ok id: b6883f9d-5f70-4758-a66e-369d7c26012f last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null outcome_order: 0 warning: null mute_all: false muted_alert_ids: [] name: my tracking rule next_run: '2024-02-15T03:26:38.033Z' notify_when: null params: boundaryGeoField: location boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc boundaryIndexTitle: boundary* boundaryNameField: name boundaryType: entireIndex dateField: '@timestamp' entity: agent.keyword geoField: geo.coordinates index: kibana_sample_data_logs indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 revision: 1 rule_type_id: .geo-containment running: false schedule: interval: 1h scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f tags: [] throttle: null updated_at: '2024-02-15T03:24:32.574Z' updated_by: elastic schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: nullable: true type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: nullable: true description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '409': description: Indicates that the rule id is already in use. summary: Create a rule tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. put: operationId: put-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: updateRuleRequest: description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. summary: Index threshold rule value: actions: - frequency: notify_when: onActionGroupChange summary: false group: threshold met id: 96b668d0-a1b6-11ed-afdf-d39a49596974 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} name: new name params: aggField: sheet.version aggType: avg groupBy: top index: - .updated-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m schedule: interval: 1m tags: [] schema: additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: nullable: true default: {} description: The parameters for the rule. type: object schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] items: description: The tags for the rule. type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - schedule responses: '200': content: application/json: examples: updateRuleResponse: description: The response for successfully updating an index threshold rule. summary: Index threshold rule value: actions: - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: 96b668d0-a1b6-11ed-afdf-d39a49596974 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date} uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2024-03-26T23:13:20.985Z' created_by: elastic enabled: true execution_status: last_duration: 52 last_execution_date: '2024-03-26T23:22:51.390Z' status: ok id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null warning: null mute_all: false muted_alert_ids: [] name: new name next_run: '2024-03-26T23:23:51.316Z' params: aggField: sheet.version aggType: avg groupBy: top index: - .updated-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 1 rule_type_id: .index-threshold running: false schedule: interval: 1m scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea tags: [] throttle: null updated_at: '2024-03-26T23:22:59.949Z' updated_by: elastic schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: nullable: true type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: nullable: true description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update a rule tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_disable: post: operationId: post-alerting-rule-id-disable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: disableRuleRequest: description: A request that disables a rule and untracks all alerts that were generated by the rule. summary: Disable a rule and untrack its alerts value: untrack: true schema: additionalProperties: false nullable: true type: object properties: untrack: description: Defines whether this rule's alerts should be untracked. type: boolean x-oas-optional: true responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Disable a rule tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_enable: post: operationId: post-alerting-rule-id-enable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Enable a rule tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_mute_all: post: operationId: post-alerting-rule-id-mute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Mute all alerts tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_unmute_all: post: operationId: post-alerting-rule-id-unmute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Unmute all alerts tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/_update_api_key: post: operationId: post-alerting-rule-id-update-api-key parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update the API key for a rule tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{id}/snooze_schedule: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. operationId: post-alerting-rule-id-snooze-schedule parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Identifier of the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: snoozeRuleRecurringRequest: description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. summary: Snooze a rule on a recurring weekly schedule value: schedule: custom: duration: 8h recurring: every: 1w occurrences: 4 onWeekDay: - MO start: '2025-03-17T09:00:00.000Z' timezone: UTC snoozeRuleRequest: description: A request that snoozes a rule for 24 hours starting now. summary: Snooze a rule for 24 hours value: schedule: custom: duration: 24h start: '2025-03-12T12:00:00.000Z' timezone: UTC schema: additionalProperties: false type: object properties: schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - schedule responses: '200': content: application/json: examples: snoozeRuleResponse: description: A response that contains the created snooze schedule. summary: Snooze schedule response value: schedule: custom: duration: 24h start: '2025-03-12T12:00:00.000Z' timezone: UTC id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 schema: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration id: description: Identifier of the snooze schedule. type: string required: - id required: - schedule required: - body description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given id does not exist. summary: Schedule a snooze for the rule tags: - alerting x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-mute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string - description: Whether to validate the existence of the alert. in: query name: validate_alerts_existence required: false schema: type: boolean responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Mute an alert tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-unmute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Unmute an alert tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: delete: operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: ruleId required: true schema: type: string - description: The identifier for the snooze schedule. in: path name: scheduleId required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given id does not exist. summary: Delete a snooze schedule for a rule tags: - alerting x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/_find: get: operationId: get-alerting-rules-find parameters: - description: The number of rules to return per page. in: query name: per_page required: false schema: default: 10 minimum: 0 type: number - description: The page number to return. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: An Elasticsearch simple_query_string query that filters the objects in the response. in: query name: search required: false schema: type: string - description: The default operator to use for the simple_query_string. in: query name: default_search_operator required: false schema: default: OR enum: - OR - AND type: string - description: The fields to perform the simple_query_string parsed query against. in: query name: search_fields required: false schema: items: type: string type: array - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. in: query name: sort_field required: false schema: type: string - description: Determines the sort order. in: query name: sort_order required: false schema: enum: - asc - desc type: string - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. in: query name: has_reference required: false schema: additionalProperties: false nullable: true type: object properties: id: type: string type: type: string required: - type - id - description: The fields to return in the `attributes` key of the response. in: query name: fields required: false schema: items: type: string type: array - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' in: query name: filter required: false schema: type: string - in: query name: filter_consumers required: false schema: items: description: List of consumers to filter. type: string type: array responses: '200': content: application/json: examples: findConditionalActionRulesResponse: description: A response that contains information about an index threshold rule. summary: Index threshold rule value: data: - actions: - frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: 9dca3e00-74f5-11ed-9801-35303b735aef params: connector_type_id: .server-log level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true execution_status: last_duration: 48 last_execution_date: '2022-12-06T01:44:23.983Z' status: ok id: 3583a470-74f6-11ed-9801-35303b735aef last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null warning: null mute_all: false muted_alert_ids: [] name: my alert next_run: '2022-12-06T01:45:23.912Z' params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 1 rule_type_id: .index-threshold schedule: interval: 1m scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef tags: - cpu throttle: null updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic page: 1 per_page: 10 total: 1 findRulesResponse: description: A response that contains information about a security rule that has conditional actions. summary: Security rule value: data: - actions: - alerts_filter: query: filters: - $state: store: appState meta: alias: null disabled: false field: client.geo.region_iso_code index: c4bdca79-e69e-4d80-82a1-e5192c621bea key: client.geo.region_iso_code negate: false params: query: CA-QC type: phrase query: match_phrase: client.geo.region_iso_code: CA-QC kql: '' timeframe: days: - 7 hours: end: '17:00' start: '08:00' timezone: UTC connector_type_id: .index frequency: notify_when: onActiveAlert summary: true throttle: null group: default id: 49eae970-f401-11ed-9f8e-399c75a2deeb params: documents: - alert_id: '[object Object]': null context_message: '[object Object]': null rule_id: '[object Object]': null rule_name: '[object Object]': null uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 api_key_created_by_user: false api_key_owner: elastic consumer: siem created_at: '2023-05-16T15:50:28.358Z' created_by: elastic enabled: true execution_status: last_duration: 166 last_execution_date: '2023-05-16T20:26:49.590Z' status: ok id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: - Rule execution completed successfully outcome_order: 0 warning: null mute_all: false muted_alert_ids: [] name: security_rule next_run: '2023-05-16T20:27:49.507Z' notify_when: null params: author: [] description: A security threshold rule. exceptionsList: [] falsePositives: [] filters: [] from: now-3660s immutable: false index: - kibana_sample_data_logs language: kuery license: '' maxSignals: 100 meta: from: 1h kibana_siem_app_url: https://localhost:5601/app/security outputIndex: '' query: '*' references: [] riskScore: 21 riskScoreMapping: [] ruleId: an_internal_rule_id severity: low severityMapping: [] threat: [] threshold: cardinality: [] field: - bytes value: 1 to: now type: threshold version: 1 revision: 1 rule_type_id: siem.thresholdRule running: false schedule: interval: 1m scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb tags: [] throttle: null updated_at: '2023-05-16T20:25:42.559Z' updated_by: elastic page: 1 per_page: 10 total: 1 schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: nullable: true type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: nullable: true description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Get information about rules tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/rules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/backfill/_find: post: operationId: post-alerting-rules-backfill-find parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The end date for filtering backfills. in: query name: end required: false schema: type: string - description: The page number to return. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: The number of backfills to return per page. in: query name: per_page required: false schema: default: 10 minimum: 0 type: number - description: A comma-separated list of rule identifiers. in: query name: rule_ids required: false schema: type: string - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. in: query name: initiator required: false schema: enum: - user - system type: string - description: The start date for filtering backfills. in: query name: start required: false schema: type: string - description: The field to sort backfills by. in: query name: sort_field required: false schema: enum: - createdAt - start type: string - description: The sort order. in: query name: sort_order required: false schema: enum: - asc - desc type: string responses: '200': content: application/json: examples: findBackfillResponse: summary: Find backfills response value: data: - created_at: '2024-01-30T00:00:00.000Z' duration: 12h enabled: true id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 initiator: user rule: api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true id: 3583a470-74f6-11ed-9801-35303b735aef name: my alert params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic schedule: - interval: 12h run_at: '2024-01-01T12:00:00.000Z' status: pending - interval: 12h run_at: '2024-01-02T00:00:00.000Z' status: pending space_id: default start: '2024-01-01T00:00:00.000Z' status: pending page: 1 per_page: 10 total: 1 schema: additionalProperties: false type: object properties: data: items: additionalProperties: false type: object properties: created_at: type: string duration: type: string enabled: type: boolean end: type: string id: type: string initiator: enum: - user - system type: string initiator_id: type: string rule: additionalProperties: false type: object properties: api_key_created_by_user: nullable: true type: boolean api_key_owner: nullable: true type: string consumer: type: string created_at: type: string created_by: nullable: true type: string enabled: type: boolean id: type: string name: type: string params: additionalProperties: nullable: true description: The parameters for the rule. type: object revision: type: number rule_type_id: type: string schedule: additionalProperties: false type: object properties: interval: type: string required: - interval tags: items: type: string type: array updated_at: type: string updated_by: nullable: true type: string required: - id - name - tags - rule_type_id - params - api_key_owner - consumer - enabled - schedule - created_by - updated_by - created_at - updated_at - revision schedule: items: additionalProperties: false type: object properties: interval: type: string run_at: type: string status: enum: - complete - pending - running - error - timeout type: string required: - run_at - status - interval type: array space_id: type: string start: type: string status: enum: - complete - pending - running - error - timeout type: string required: - id - created_at - duration - enabled - rule - space_id - initiator - start - status - schedule type: array page: type: number per_page: type: number total: type: number required: - page - per_page - total - data description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Find backfills for rules tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rules/backfill/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/backfill/_schedule: post: operationId: post-alerting-rules-backfill-schedule parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: scheduleBackfillRequest: summary: Schedule a backfill for an index threshold rule value: - ranges: - end: '2024-01-02T00:00:00.000Z' start: '2024-01-01T00:00:00.000Z' rule_id: 3583a470-74f6-11ed-9801-35303b735aef schema: items: additionalProperties: false type: object properties: ranges: items: additionalProperties: false type: object properties: end: type: string start: type: string required: - start - end type: array rule_id: type: string run_actions: type: boolean required: - rule_id - ranges maxItems: 100 minItems: 1 type: array responses: '200': content: application/json: examples: scheduleBackfillResponse: summary: Schedule backfill response value: - created_at: '2024-01-30T00:00:00.000Z' duration: 12h enabled: true id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 initiator: user rule: api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true id: 3583a470-74f6-11ed-9801-35303b735aef name: my alert params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic schedule: - interval: 12h run_at: '2024-01-01T12:00:00.000Z' status: pending - interval: 12h run_at: '2024-01-02T00:00:00.000Z' status: pending space_id: default start: '2024-01-01T00:00:00.000Z' status: pending schema: items: anyOf: - additionalProperties: false type: object properties: created_at: type: string duration: type: string enabled: type: boolean end: type: string id: type: string initiator: enum: - user - system type: string initiator_id: type: string rule: additionalProperties: false type: object properties: api_key_created_by_user: nullable: true type: boolean api_key_owner: nullable: true type: string consumer: type: string created_at: type: string created_by: nullable: true type: string enabled: type: boolean id: type: string name: type: string params: additionalProperties: nullable: true description: The parameters for the rule. type: object revision: type: number rule_type_id: type: string schedule: additionalProperties: false type: object properties: interval: type: string required: - interval tags: items: type: string type: array updated_at: type: string updated_by: nullable: true type: string required: - id - name - tags - rule_type_id - params - api_key_owner - consumer - enabled - schedule - created_by - updated_by - created_at - updated_at - revision schedule: items: additionalProperties: false type: object properties: interval: type: string run_at: type: string status: enum: - complete - pending - running - error - timeout type: string required: - run_at - status - interval type: array space_id: type: string start: type: string status: enum: - complete - pending - running - error - timeout type: string required: - id - created_at - duration - enabled - rule - space_id - initiator - start - status - schedule - additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string rule: additionalProperties: false type: object properties: id: type: string name: type: string required: - id status: type: number required: - message - rule required: - error type: array description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Schedule a backfill for rules tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/alerting/rules/backfill/_schedule
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/alerting/rules/backfill/{id}: delete: operationId: delete-alerting-rules-backfill-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the backfill. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a backfill with the given ID does not exist. summary: Delete a backfill by ID tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/alerting/rules/backfill/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: operationId: get-alerting-rules-backfill-id parameters: - description: The identifier for the backfill. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getBackfillResponse: summary: Get a backfill for an index threshold rule value: created_at: '2024-01-30T00:00:00.000Z' duration: 12h enabled: true id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 initiator: user rule: api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true id: 3583a470-74f6-11ed-9801-35303b735aef name: my alert params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic schedule: - interval: 12h run_at: '2024-01-01T12:00:00.000Z' status: pending - interval: 12h run_at: '2024-01-02T00:00:00.000Z' status: pending space_id: default start: '2024-01-01T00:00:00.000Z' status: pending schema: additionalProperties: false type: object properties: created_at: type: string duration: type: string enabled: type: boolean end: type: string id: type: string initiator: enum: - user - system type: string initiator_id: type: string rule: additionalProperties: false type: object properties: api_key_created_by_user: nullable: true type: boolean api_key_owner: nullable: true type: string consumer: type: string created_at: type: string created_by: nullable: true type: string enabled: type: boolean id: type: string name: type: string params: additionalProperties: nullable: true description: The parameters for the rule. type: object revision: type: number rule_type_id: type: string schedule: additionalProperties: false type: object properties: interval: type: string required: - interval tags: items: type: string type: array updated_at: type: string updated_by: nullable: true type: string required: - id - name - tags - rule_type_id - params - api_key_owner - consumer - enabled - schedule - created_by - updated_by - created_at - updated_at - revision schedule: items: additionalProperties: false type: object properties: interval: type: string run_at: type: string status: enum: - complete - pending - running - error - timeout type: string required: - run_at - status - interval type: array space_id: type: string start: type: string status: enum: - complete - pending - running - error - timeout type: string required: - id - created_at - duration - enabled - rule - space_id - initiator - start - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a backfill with the given ID does not exist. summary: Get a backfill by ID tags: - alerting x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/alerting/rules/backfill/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. /api/apm/agent_keys: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/agent_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent key for APM. The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. operationId: createAgentKey parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: createAgentKeyRequest1: $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' schema: $ref: '#/components/schemas/APM_UI_agent_keys_object' required: true responses: '200': content: application/json: examples: createAgentKeyResponse1: $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' schema: $ref: '#/components/schemas/APM_UI_agent_keys_response' description: Agent key created successfully '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenResponse: $ref: '#/components/examples/APM_UI_error_403_response' schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: examples: internalServerErrorResponse: $ref: '#/components/examples/APM_UI_error_500_response' schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Create an APM agent key tags: - APM agent keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/fleet/apm_server_schema: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/fleet/apm_server_schema
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. operationId: saveApmServerSchema parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: saveApmServerSchemaRequest: description: An example request payload for `POST /api/apm/fleet/apm_server_schema`. value: schema: foo: bar schema: type: object properties: schema: additionalProperties: true description: Schema object example: foo: bar type: object required: true responses: '200': content: application/json: examples: saveApmServerSchemaResponseExample1: $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' schema: additionalProperties: false description: The response body is intentionally empty for this endpoint. type: object description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenResponse: $ref: '#/components/examples/APM_UI_error_403_response' schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Save APM server schema tags: - APM server schema x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/services/{serviceName}/annotation: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/services/{serviceName}/annotation
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new annotation for a specific service. operationId: createAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: The name of the service in: path name: serviceName required: true schema: type: string requestBody: content: application/json: examples: createAnnotationRequest1: $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: $ref: '#/components/schemas/APM_UI_create_annotation_object' required: true responses: '200': content: application/json: examples: createAnnotationResponse1: $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' schema: $ref: '#/components/schemas/APM_UI_create_annotation_response' description: Annotation created successfully '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenResponse: $ref: '#/components/examples/APM_UI_error_403_response' schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create a service annotation tags: - APM annotations x-codeSamples: - lang: Curl source: | curl -X POST \ http://localhost:5601/api/apm/services/opbeans-java/annotation \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ -d '{ "@timestamp": "2020-05-08T10:31:30.452Z", "service": { "version": "1.2" }, "message": "Deployment 1.2" }' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/services/{serviceName}/annotation/search: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Search for annotations related to a specific service. operationId: getAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service in: path name: serviceName required: true schema: type: string - description: The environment to filter annotations by in: query name: environment required: false schema: type: string - description: The start date for the search example: '2024-01-01T00:00:00.000Z' in: query name: start required: false schema: format: date-time type: string - description: The end date for the search example: '2024-01-31T23:59:59.999Z' in: query name: end required: false schema: format: date-time type: string responses: '200': content: application/json: examples: getAnnotationResponse1: $ref: '#/components/examples/APM_UI_annotation_search_get_200_response1' schema: $ref: '#/components/schemas/APM_UI_annotation_search_response' description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '500': content: application/json: examples: internalServerErrorResponse: $ref: '#/components/examples/APM_UI_error_500_response' schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Search for annotations tags: - APM annotations x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/settings/agent-configuration: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/apm/settings/agent-configuration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. operationId: deleteAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: deleteAgentConfigurationRequest1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' schema: $ref: '#/components/schemas/APM_UI_delete_service_object' required: true responses: '200': content: application/json: examples: deleteAgentConfigurationResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' schema: $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenResponse: $ref: '#/components/examples/APM_UI_error_403_response' schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Delete agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. operationId: getAgentConfigurations parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: examples: getAgentConfigurationsResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' schema: $ref: '#/components/schemas/APM_UI_agent_configurations_response' description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get a list of agent configurations tags: - APM agent configuration x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/apm/settings/agent-configuration
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. operationId: createUpdateAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: If the config exists ?overwrite=true is required in: query name: overwrite schema: type: boolean requestBody: content: application/json: examples: createUpdateAgentConfigurationRequestExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' schema: $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' required: true responses: '200': content: application/json: examples: createUpdateAgentConfigurationResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' schema: additionalProperties: false description: The response body is intentionally empty for this endpoint. type: object description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenResponse: $ref: '#/components/examples/APM_UI_error_403_response' schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create or update agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/settings/agent-configuration/agent_name: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve `agentName` for a service. operationId: getAgentNameForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service example: node in: query name: serviceName required: true schema: type: string responses: '200': content: application/json: examples: getAgentNameForServiceResponse1: $ref: '#/components/examples/APM_UI_service_agent_name_get_200_response1' schema: $ref: '#/components/schemas/APM_UI_service_agent_name_response' description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get agent name for service tags: - APM agent configuration x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/settings/agent-configuration/environments: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration/environments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. operationId: getEnvironmentsForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service. If omitted, environments across all services are returned. example: opbeans-node in: query name: serviceName schema: type: string responses: '200': content: application/json: examples: getEnvironmentsForServiceResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' schema: $ref: '#/components/schemas/APM_UI_service_environments_response' description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get environments for service tags: - APM agent configuration x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/settings/agent-configuration/search: post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/apm/settings/agent-configuration/search
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. operationId: searchSingleConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: searchSingleConfigurationRequest1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' required: true responses: '200': content: application/json: examples: searchSingleConfigurationResponse1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Lookup single agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/apm/settings/agent-configuration/view: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/apm/settings/agent-configuration/view
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. operationId: getSingleAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: Service name example: node in: query name: name schema: type: string - description: Service environment example: prod in: query name: environment schema: type: string responses: '200': content: application/json: examples: getSingleAgentConfigurationResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' schema: $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' description: Successful response '400': content: application/json: examples: badRequestResponse: $ref: '#/components/examples/APM_UI_error_400_response' schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: examples: unauthorizedResponse: $ref: '#/components/examples/APM_UI_error_401_response' schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: examples: notFoundResponse: $ref: '#/components/examples/APM_UI_error_404_response' schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get single agent configuration tags: - APM agent configuration x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/asset_criticality: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete the asset criticality record for a specific entity. operationId: DeleteAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: If 'wait_for' the request will wait for the index refresh. in: query name: refresh required: false schema: enum: - wait_for type: string responses: '200': content: application/json: schema: type: object properties: deleted: description: True if the record was deleted or false if the record did not exist. type: boolean record: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: The deleted record if it existed. required: - deleted description: Successful response '400': description: Invalid request summary: Delete an asset criticality record tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the asset criticality record for a specific entity. operationId: GetAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request '404': description: Criticality record not found summary: Get an asset criticality record tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update an asset criticality record for a specific entity. If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. operationId: CreateAssetCriticalityRecord requestBody: content: application/json: schema: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - type: object properties: refresh: description: If 'wait_for' the request will wait for the index refresh. enum: - wait_for type: string example: criticality_level: high_impact id_field: host.name id_value: my_host required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request summary: Upsert an asset criticality record tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/asset_criticality/bulk: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/asset_criticality/bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk upsert up to 1000 asset criticality records. If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. operationId: BulkUpsertAssetCriticalityRecords requestBody: content: application/json: schema: example: records: - criticality_level: low_impact id_field: host.name id_value: host-1 - criticality_level: medium_impact id_field: host.name id_value: host-2 type: object properties: records: items: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' required: - criticality_level maxItems: 1000 minItems: 1 type: array required: - records responses: '200': content: application/json: schema: example: errors: - index: 0 message: Invalid ID field stats: failed: 1 successful: 1 total: 2 type: object properties: errors: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' type: array stats: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' required: - errors - stats description: Bulk upload successful '413': description: File too large summary: Bulk upsert asset criticality records tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/asset_criticality/list: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/asset_criticality/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List asset criticality records, paging, sorting and filtering as needed. operationId: FindAssetCriticalityRecords parameters: - description: The field to sort by. in: query name: sort_field required: false schema: enum: - id_value - id_field - criticality_level - '@timestamp' type: string - description: The order to sort by. in: query name: sort_direction required: false schema: enum: - asc - desc type: string - description: The page number to return. in: query name: page required: false schema: minimum: 1 type: integer - description: The number of records to return per page. in: query name: per_page required: false schema: maximum: 1000 minimum: 1 type: integer - description: The kuery to filter by. in: query name: kuery required: false schema: type: string responses: '200': content: application/json: schema: example: page: 1 per_page: 10 records: - '@timestamp': '2024-08-02T14:40:35.705Z' asset: criticality: medium_impact criticality_level: medium_impact host: asset: criticality: medium_impact name: my_other_host id_field: host.name id_value: my_other_host - '@timestamp': '2024-08-02T11:15:34.290Z' asset: criticality: high_impact criticality_level: high_impact host: asset: criticality: high_impact name: my_host id_field: host.name id_value: my_host total: 2 type: object properties: page: minimum: 1 type: integer per_page: maximum: 1000 minimum: 1 type: integer records: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' type: array total: minimum: 0 type: integer required: - records - page - per_page - total description: Successfully retrieved asset criticality records summary: List asset criticality records tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. operationId: PostAttackDiscoveryBulk requestBody: content: application/json: examples: PostAttackDiscoveryBulkRequestBodyExample: summary: Acknowledge two Attack discoveries in bulk. value: update: enable_field_rendering: false ids: - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 kibana_alert_workflow_status: acknowledged with_replacements: true schema: type: object properties: update: description: Configuration object containing all parameters for the bulk update operation type: object properties: enable_field_rendering: default: false description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. example: false type: boolean ids: description: Array of Attack Discovery IDs to update example: - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 items: type: string type: array kibana_alert_workflow_status: description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts enum: - open - acknowledged - closed example: acknowledged type: string visibility: description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field enum: - not_shared - shared example: shared type: string with_replacements: default: true description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. example: true type: boolean required: - ids required: - update description: Bulk update parameters for Attack discoveries required: true responses: '200': content: application/json: examples: PostAttackDiscoveryBulkResponse200Example: summary: A successful bulk update response containing the modified Attack discoveries. value: data: - alert_ids: - alert-abc-1 alert_workflow_status: acknowledged connector_id: gen-ai-connector connector_name: OpenAI GPT-4 details_markdown: '- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.' generation_uuid: 550e8400-e29b-41d4-a716-446655440000 id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f summary_markdown: A user account was compromised using mimikatz to dump credentials. timestamp: '2024-01-15T10:00:00.000Z' title: Credential theft via mimikatz schema: type: object properties: data: description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' type: array required: - data description: Indicates a successful call. '400': content: application/json: examples: PostAttackDiscoveryBulkResponse400Example: summary: Bad Request error returned when the bulk update payload is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message describing what went wrong with the bulk update request example: Invalid request parameters. type: string status_code: description: HTTP status code example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Bulk update Attack discoveries tags: - Security Attack discovery API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data-raw '{ "update": { "ids": [ "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" ], "kibana_alert_workflow_status": "acknowledged" } }' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. operationId: AttackDiscoveryFind parameters: - description: Filter results to Attack discoveries that include any of the provided alert IDs in: query name: alert_ids required: false schema: items: type: string type: array - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. in: query name: connector_names required: false schema: items: type: string type: array - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. example: false in: query name: enable_field_rendering required: false schema: default: false type: boolean - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). example: now in: query name: end required: false schema: type: string - description: Filter results to the Attack discoveries with the specified IDs in: query name: ids required: false schema: items: type: string type: array - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries example: false in: query name: include_unique_alert_ids required: false schema: type: boolean - description: Page number to return (used for pagination). Defaults to 1. example: 1 in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. example: 10 in: query name: per_page required: false schema: default: 10 minimum: 1 type: integer - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) example: '' in: query name: search required: false schema: type: string - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. in: query name: shared required: false schema: type: boolean - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. in: query name: scheduled required: false schema: type: boolean - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. example: '@timestamp' in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' default: '@timestamp' - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. example: desc in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' default: desc - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). example: now-24h in: query name: start required: false schema: type: string - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. example: - open - acknowledged in: query name: status required: false schema: items: enum: - acknowledged - closed - open type: string type: array - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. example: true in: query name: with_replacements required: false schema: default: true type: boolean responses: '200': content: application/json: examples: AttackDiscoveryFindResponse200Example: summary: Paginated list of Attack discoveries matching the search criteria. value: connector_names: - GPT-5 Chat data: - connector_name: GPT-5 Chat id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f title: Suspicious process execution on host-01 page: 1 per_page: 10 total: 1 unique_alert_ids_count: 0 schema: type: object properties: connector_names: description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. items: type: string type: array data: description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' type: array page: description: Current page number of the paginated result set. type: integer per_page: description: Number of items requested per page. type: integer total: description: Total number of Attack discoveries matching the query (across all pages). type: integer unique_alert_ids: description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. items: type: string type: array unique_alert_ids_count: description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. type: integer required: - connector_names - data - page - per_page - total - unique_alert_ids_count description: Indicates a successful call. '400': content: application/json: examples: AttackDiscoveryFindResponse400Example: summary: Bad Request error returned when find query parameters are invalid. value: error: Bad Request message: Invalid request payload. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message example: Invalid request payload. type: string status_code: description: HTTP status code example: 400 type: number description: Bad Request response. summary: Find Attack discoveries that match the search criteria tags: - Security Attack discovery API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/_generate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/_generate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. operationId: PostAttackDiscoveryGenerate requestBody: content: application/json: examples: PostAttackDiscoveryGenerateRequestBodyExample: summary: Generate Attack discoveries from alerts in the last 24 hours. value: alertsIndexPattern: .alerts-security.alerts-default anonymizationFields: - allowed: true anonymized: true field: host.name - allowed: true anonymized: true field: user.name - allowed: true anonymized: false field: process.name apiConfig: actionTypeId: .gen-ai connectorId: 12345678-1234-1234-1234-123456789012 connectorName: GPT-5 Chat end: now replacements: {} size: 100 start: now-24h subAction: invokeAI schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' required: true responses: '200': content: application/json: examples: PostAttackDiscoveryGenerateResponse200Example: summary: Generation started; use the returned execution UUID to track progress. value: execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 schema: type: object properties: execution_uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. example: edd26039-0990-4d9f-9829-2a1fcacb77b5 required: - execution_uuid description: Indicates a successful call. '400': content: application/json: examples: PostAttackDiscoveryGenerateResponse400Example: summary: Bad Request error returned when the generate payload is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message describing what went wrong example: Invalid request parameters. type: string status_code: description: HTTP status code example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Generate attack discoveries from alerts tags: - Security Attack discovery API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{ "alertsIndexPattern": ".alerts-security.alerts-default", "anonymizationFields": [ { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "@timestamp", "allowed": true, "anonymized": false, "namespace": "default", "id": "aKiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.feature", "allowed": true, "anonymized": false, "namespace": "default", "id": "saiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.data", "allowed": true, "anonymized": false, "namespace": "default", "id": "sqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.entropy", "allowed": true, "anonymized": false, "namespace": "default", "id": "s6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.extension", "allowed": true, "anonymized": false, "namespace": "default", "id": "tKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.metrics", "allowed": true, "anonymized": false, "namespace": "default", "id": "taiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.operation", "allowed": true, "anonymized": false, "namespace": "default", "id": "tqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.path", "allowed": true, "anonymized": false, "namespace": "default", "id": "t6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.files.score", "allowed": true, "anonymized": false, "namespace": "default", "id": "uKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "Ransomware.version", "allowed": true, "anonymized": false, "namespace": "default", "id": "uaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "_id", "allowed": true, "anonymized": false, "namespace": "default", "id": "Z6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "agent.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "aaiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "cloud.availability_zone", "allowed": true, "anonymized": false, "namespace": "default", "id": "aqiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "cloud.provider", "allowed": true, "anonymized": false, "namespace": "default", "id": "a6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "cloud.region", "allowed": true, "anonymized": false, "namespace": "default", "id": "bKiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "destination.ip", "allowed": true, "anonymized": false, "namespace": "default", "id": "baiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "dns.question.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "bqiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "dns.question.type", "allowed": true, "anonymized": false, "namespace": "default", "id": "b6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.category", "allowed": true, "anonymized": false, "namespace": "default", "id": "cKiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.dataset", "allowed": true, "anonymized": false, "namespace": "default", "id": "caiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.module", "allowed": true, "anonymized": false, "namespace": "default", "id": "cqiJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "event.outcome", "allowed": true, "anonymized": false, "namespace": "default", "id": "c6iJW5gB4U27o8XO8oLf" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.Ext.original.path", "allowed": true, "anonymized": false, "namespace": "default", "id": "dKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.hash.sha256", "allowed": true, "anonymized": false, "namespace": "default", "id": "daiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "dqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "file.path", "allowed": true, "anonymized": false, "namespace": "default", "id": "d6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "group.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "eKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "group.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "eaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.asset.criticality", "allowed": true, "anonymized": false, "namespace": "default", "id": "eqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.name", "allowed": true, "anonymized": true, "namespace": "default", "id": "e6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.os.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "fKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.os.version", "allowed": true, "anonymized": false, "namespace": "default", "id": "faiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.risk.calculated_level", "allowed": true, "anonymized": false, "namespace": "default", "id": "fqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "host.risk.calculated_score_norm", "allowed": true, "anonymized": false, "namespace": "default", "id": "f6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.original_time", "allowed": true, "anonymized": false, "namespace": "default", "id": "gKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.risk_score", "allowed": true, "anonymized": false, "namespace": "default", "id": "gaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.description", "allowed": true, "anonymized": false, "namespace": "default", "id": "gqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "g6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.references", "allowed": true, "anonymized": false, "namespace": "default", "id": "hKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.framework", "allowed": true, "anonymized": false, "namespace": "default", "id": "haiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.tactic.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "hqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.tactic.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "h6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.tactic.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "iKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "iaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "iqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "i6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.subtechnique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "jKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.subtechnique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "jaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.rule.threat.technique.subtechnique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "jqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.severity", "allowed": true, "anonymized": false, "namespace": "default", "id": "j6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "kibana.alert.workflow_status", "allowed": true, "anonymized": false, "namespace": "default", "id": "kKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "message", "allowed": true, "anonymized": false, "namespace": "default", "id": "kaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "network.protocol", "allowed": true, "anonymized": false, "namespace": "default", "id": "kqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.bytes_compressed_present", "allowed": true, "anonymized": false, "namespace": "default", "id": "nKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.malware_signature.all_names", "allowed": true, "anonymized": false, "namespace": "default", "id": "naiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.malware_signature.primary.matches", "allowed": true, "anonymized": false, "namespace": "default", "id": "nqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.memory_region.malware_signature.primary.signature.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "n6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.Ext.token.integrity_level_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "oKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.args", "allowed": true, "anonymized": false, "namespace": "default", "id": "k6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.exists", "allowed": true, "anonymized": false, "namespace": "default", "id": "lKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.signing_id", "allowed": true, "anonymized": false, "namespace": "default", "id": "laiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.status", "allowed": true, "anonymized": false, "namespace": "default", "id": "lqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.subject_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "l6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.code_signature.trusted", "allowed": true, "anonymized": false, "namespace": "default", "id": "mKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.command_line", "allowed": true, "anonymized": false, "namespace": "default", "id": "maiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.executable", "allowed": true, "anonymized": false, "namespace": "default", "id": "mqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.exit_code", "allowed": true, "anonymized": false, "namespace": "default", "id": "m6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.hash.md5", "allowed": true, "anonymized": false, "namespace": "default", "id": "oaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.hash.sha1", "allowed": true, "anonymized": false, "namespace": "default", "id": "oqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.hash.sha256", "allowed": true, "anonymized": false, "namespace": "default", "id": "o6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "pKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.args", "allowed": true, "anonymized": false, "namespace": "default", "id": "paiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.args_count", "allowed": true, "anonymized": false, "namespace": "default", "id": "pqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.exists", "allowed": true, "anonymized": false, "namespace": "default", "id": "p6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.status", "allowed": true, "anonymized": false, "namespace": "default", "id": "qKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.subject_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "qaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.code_signature.trusted", "allowed": true, "anonymized": false, "namespace": "default", "id": "qqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.command_line", "allowed": true, "anonymized": false, "namespace": "default", "id": "q6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.executable", "allowed": true, "anonymized": false, "namespace": "default", "id": "rKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.parent.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "raiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.pe.original_file_name", "allowed": true, "anonymized": false, "namespace": "default", "id": "rqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.pid", "allowed": true, "anonymized": false, "namespace": "default", "id": "r6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "process.working_directory", "allowed": true, "anonymized": false, "namespace": "default", "id": "sKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "rule.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "uqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "rule.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "u6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "source.ip", "allowed": true, "anonymized": false, "namespace": "default", "id": "vKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.framework", "allowed": true, "anonymized": false, "namespace": "default", "id": "vaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.tactic.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "vqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.tactic.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "v6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.tactic.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "wKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "waiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "wqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "w6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.subtechnique.id", "allowed": true, "anonymized": false, "namespace": "default", "id": "xKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.subtechnique.name", "allowed": true, "anonymized": false, "namespace": "default", "id": "xaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "threat.technique.subtechnique.reference", "allowed": true, "anonymized": false, "namespace": "default", "id": "xqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.asset.criticality", "allowed": true, "anonymized": false, "namespace": "default", "id": "x6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.domain", "allowed": true, "anonymized": false, "namespace": "default", "id": "yKiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.name", "allowed": true, "anonymized": true, "namespace": "default", "id": "yaiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.risk.calculated_level", "allowed": true, "anonymized": false, "namespace": "default", "id": "yqiJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.risk.calculated_score_norm", "allowed": true, "anonymized": false, "namespace": "default", "id": "y6iJW5gB4U27o8XO8oLg" }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", "field": "user.target.name", "allowed": true, "anonymized": true, "namespace": "default", "id": "zKiJW5gB4U27o8XO8oLg" } ], "replacements": {}, "size": 100, "subAction": "invokeAI", "apiConfig": { "connectorId": "12345678-1234-1234-1234-123456789012", "actionTypeId": ".gen-ai" }, "connectorName": "GPT-5 Chat", "end": "now", "start": "now-24h" }' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/generations: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/generations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. operationId: GetAttackDiscoveryGenerations parameters: - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). example: now in: query name: end required: false schema: type: string - description: The maximum number of generations to retrieve example: 50 in: query name: size required: false schema: default: 50 minimum: 1 type: number - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). example: now-24h in: query name: start required: false schema: type: string responses: '200': content: application/json: examples: GetAttackDiscoveryGenerationsResponse200Example: summary: Latest Attack Discovery generation metadata for the current user. value: generations: - alerts_context_count: 75 connector_id: chatGpt5_0ChatAzure discoveries: 3 end: '2025-09-29T06:42:44.810Z' execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. start: '2025-09-29T06:42:08.962Z' status: succeeded schema: type: object properties: generations: description: List of Attack Discovery generations items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' type: array required: - generations description: Indicates a successful call. '400': content: application/json: examples: GetAttackDiscoveryGenerationsResponse400Example: summary: Bad Request error returned when the size parameter is invalid. value: error: Bad Request message: Invalid size parameter. Must be a positive number. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message example: Invalid size parameter. Must be a positive number. type: string status_code: description: HTTP status code example: 400 type: number description: Bad Request response. summary: Get the latest Attack Discovery generations metadata for the current user tags: - Security Attack discovery API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/generations/{execution_uuid}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. operationId: GetAttackDiscoveryGeneration parameters: - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 in: path name: execution_uuid required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. example: false in: query name: enable_field_rendering required: false schema: default: false type: boolean - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. example: true in: query name: with_replacements required: false schema: default: true type: boolean responses: '200': content: application/json: examples: GetAttackDiscoveryGenerationResponse200Example: summary: Single Attack Discovery generation with its discoveries and metadata. value: data: - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f title: Suspicious process execution on host-01 generation: alerts_context_count: 50 discoveries: 1 end: '2025-09-29T06:42:44.810Z' execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 start: '2025-09-29T06:42:08.962Z' status: succeeded schema: type: object properties: data: description: Array of Attack discoveries generated during this execution. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' type: array generation: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. required: - data description: Indicates a successful call. '400': content: application/json: examples: GetAttackDiscoveryGenerationResponse400Example: summary: Bad Request error returned when the get-generation request is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message describing what went wrong with the request example: Invalid request parameters. type: string status_code: description: HTTP status code example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata tags: - Security Attack discovery API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/generations/{execution_uuid}/_dismiss: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. operationId: PostAttackDiscoveryGenerationsDismiss parameters: - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. example: 46b218d5-535d-4329-be56-d0f6af6986b7 in: path name: execution_uuid required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: examples: PostAttackDiscoveryGenerationsDismissResponse200Example: summary: Successfully dismissed an Attack Discovery generation. value: alerts_context_count: 75 connector_id: chatGpt5_0ChatAzure discoveries: 3 end: '2025-09-29T06:42:44.810Z' execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. start: '2025-09-29T06:42:08.962Z' status: dismissed schema: type: object properties: alerts_context_count: description: The number of alerts that were sent as context to the LLM for this generation. example: 75 type: number connector_id: description: The unique identifier of the connector used to generate the attack discoveries. example: chatGpt5_0ChatAzure type: string connector_stats: description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. type: object properties: average_successful_duration_nanoseconds: description: The average duration in nanoseconds for successful generations using this connector by the current user. example: 47958500000 type: number successful_generations: description: The total number of Attack discoveries successfully created for this generation example: 2 type: number discoveries: description: The number of attack discoveries that were generated during this execution. example: 3 type: number end: description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. example: '2025-09-29T06:42:44.810Z' type: string execution_uuid: description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. example: 46b218d5-535d-4329-be56-d0f6af6986b7 type: string loading_message: description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. type: string reason: description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. example: Connection timeout to AI service type: string start: description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. example: '2025-09-29T06:42:08.962Z' type: string status: description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". enum: - canceled - dismissed - failed - started - succeeded example: dismissed type: string required: - connector_id - discoveries - execution_uuid - loading_message - start - status description: Indicates a successful call. '400': content: application/json: examples: PostAttackDiscoveryGenerationsDismissResponse400Example: summary: Bad Request error returned when the dismiss request is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: type: object properties: error: description: Error type or category example: Bad Request type: string message: description: Human-readable error message describing what went wrong with the request. example: Invalid request parameters. type: string status_code: description: HTTP status code indicating the type of client error example: 400 type: number required: - status_code - error - message description: Bad Request response. summary: Dismiss an Attack Discovery generation tags: - Security Attack discovery API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/schedules: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/schedules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. operationId: CreateAttackDiscoverySchedules requestBody: content: application/json: examples: CreateAttackDiscoverySchedulesRequestBodyExample: summary: Create a daily Attack Discovery schedule that runs every 24 hours. value: actions: [] enabled: true name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions required: true responses: '200': content: application/json: examples: CreateAttackDiscoverySchedulesResponse200Example: summary: A newly created Attack Discovery schedule. value: actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h updated_at: '2023-10-31T10:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' description: The Attack Discovery schedule was successfully created. '400': content: application/json: examples: CreateAttackDiscoverySchedulesResponse400Example: summary: Bad Request error returned when the create schedule payload is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Create Attack Discovery schedule tags: - Security Attack discovery API x-codeSamples: - label: Create an Attack Discovery schedule lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{ "name": "Daily Security Analysis", "enabled": true, "params": { "alerts_index_pattern": ".alerts-security.alerts-default", "api_config": { "actionTypeId": "bedrock", "connectorId": "my-bedrock-connector", "name": "Claude 3.5 Sonnet" }, "size": 100, "start": "now-24h", "end": "now" }, "schedule": { "interval": "24h" }, "actions": [ { "action_type_id": ".cases", "id": "system-connector-.cases", "params": { "subAction": "run", "subActionParams": { "timeWindow": "7d", "reopenClosedCases": false, "groupingBy": [], "templateId": null } }, "uuid": "12345678-1234-1234-1234-123456789012" } ] }' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/schedules/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/schedules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. operationId: FindAttackDiscoverySchedules parameters: - description: Page number to return (used for pagination). Defaults to 1. example: 1 in: query name: page required: false schema: type: number - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. example: 10 in: query name: per_page required: false schema: type: number - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. example: name in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. example: asc in: query name: sort_direction required: false schema: enum: - asc - desc type: string responses: '200': content: application/json: examples: FindAttackDiscoverySchedulesResponse200Example: summary: Paginated list of Attack Discovery schedules matching the search criteria. value: data: - actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h updated_at: '2023-10-31T10:00:00.000Z' updated_by: elastic page: 1 per_page: 10 total: 1 schema: type: object properties: data: description: Array of matched Attack Discovery schedule objects. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' type: array page: description: Current page number of the paginated result set. type: number per_page: description: Number of items requested per page. type: number total: description: Total number of Attack Discovery schedules matching the query (across all pages). type: number required: - page - per_page - total - data description: Indicates a successful call. '400': content: application/json: examples: FindAttackDiscoverySchedulesResponse400Example: summary: Bad Request error returned when find-schedules query parameters are invalid. value: error: Bad Request message: Invalid request payload. status_code: 400 schema: type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message example: Invalid request payload. type: string status_code: description: HTTP status code example: 400 type: number description: Bad Request response. summary: Find Attack Discovery schedules that match the search criteria tags: - Security Attack discovery API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/schedules/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/attack_discovery/schedules/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Permanently deletes an Attack Discovery schedule and all associated configuration. operationId: DeleteAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: examples: DeleteAttackDiscoverySchedulesResponse200Example: summary: Confirmation returned after deleting an Attack Discovery schedule. value: id: 12345678-1234-1234-1234-123456789012 schema: type: object properties: id: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the deleted Attack Discovery schedule required: - id description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation '400': content: application/json: examples: DeleteAttackDiscoverySchedulesResponse400Example: summary: Bad Request error returned when the delete schedule request is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Delete Attack Discovery schedule tags: - Security Attack discovery API x-codeSamples: - label: Delete an Attack Discovery schedule lang: curl source: | curl \ --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/attack_discovery/schedules/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. operationId: GetAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: examples: GetAttackDiscoverySchedulesResponse200Example: summary: An Attack Discovery schedule retrieved by ID, including last execution metadata. value: actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 last_execution: date: '2023-10-31T10:00:00.000Z' last_duration: 45.2 status: ok name: Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 100 start: now-24h schedule: interval: 24h updated_at: '2023-10-31T10:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata '400': content: application/json: examples: GetAttackDiscoverySchedulesResponse400Example: summary: Bad Request error returned when the get-schedule request is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Get Attack Discovery schedule by ID tags: - Security Attack discovery API x-codeSamples: - label: Get an Attack Discovery schedule by ID lang: curl source: | curl \ --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/attack_discovery/schedules/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. operationId: UpdateAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' requestBody: content: application/json: examples: UpdateAttackDiscoverySchedulesRequestBodyExample: summary: Update an Attack Discovery schedule to run every 12 hours over a 48-hour window. value: actions: [] name: Updated Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 200 start: now-48h schedule: interval: 12h schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. required: true responses: '200': content: application/json: examples: UpdateAttackDiscoverySchedulesResponse200Example: summary: An Attack Discovery schedule after being updated. value: actions: [] created_at: '2023-10-31T10:00:00.000Z' created_by: elastic enabled: true id: 12345678-1234-1234-1234-123456789012 name: Updated Daily Security Analysis params: alerts_index_pattern: .alerts-security.alerts-default api_config: actionTypeId: bedrock connectorId: my-bedrock-connector name: Claude 3.5 Sonnet end: now size: 200 start: now-48h schedule: interval: 12h updated_at: '2023-10-31T12:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' description: Successfully updated Attack Discovery schedule with the new configuration and metadata '400': content: application/json: examples: UpdateAttackDiscoverySchedulesResponse400Example: summary: Bad Request error returned when the update schedule payload is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Update Attack Discovery schedule tags: - Security Attack discovery API x-codeSamples: - label: Update an Attack Discovery schedule lang: curl source: | curl \ --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{ "name": "Updated Daily Security Analysis", "params": { "alerts_index_pattern": ".alerts-security.alerts-default", "api_config": { "actionTypeId": "bedrock", "connectorId": "my-bedrock-connector", "name": "Claude 3.5 Sonnet" }, "size": 200, "start": "now-48h", "end": "now" }, "schedule": { "interval": "12h" }, "actions": [] }' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/schedules/{id}/_disable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. operationId: DisableAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: examples: DisableAttackDiscoverySchedulesResponse200Example: summary: Confirmation returned after disabling an Attack Discovery schedule. value: id: 12345678-1234-1234-1234-123456789012 schema: type: object properties: id: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the disabled Attack Discovery schedule required: - id description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation '400': content: application/json: examples: DisableAttackDiscoverySchedulesResponse400Example: summary: Bad Request error returned when the disable schedule request is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Disable Attack Discovery schedule tags: - Security Attack discovery API x-codeSamples: - label: Disable an Attack Discovery schedule lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/attack_discovery/schedules/{id}/_enable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. operationId: EnableAttackDiscoverySchedules parameters: - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. example: 12345678-1234-1234-1234-123456789012 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' responses: '200': content: application/json: examples: EnableAttackDiscoverySchedulesResponse200Example: summary: Confirmation returned after enabling an Attack Discovery schedule. value: id: 12345678-1234-1234-1234-123456789012 schema: type: object properties: id: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the enabled Attack Discovery schedule required: - id description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation '400': content: application/json: examples: EnableAttackDiscoverySchedulesResponse400Example: summary: Bad Request error returned when the enable schedule request is invalid. value: error: Bad Request message: Invalid request parameters. status_code: 400 schema: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' description: Bad Request response. summary: Enable Attack Discovery schedule tags: - Security Attack discovery API x-codeSamples: - label: Enable an Attack Discovery schedule lang: curl source: | curl \ --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a list of all data views. Use this endpoint to identify available data views in the current Kibana space. operationId: getAllDataViewsDefault responses: '200': content: application/json: examples: getAllDataViewsResponse: $ref: '#/components/examples/Data_views_get_data_views_response' schema: type: object properties: data_view: items: type: object properties: id: type: string name: type: string namespaces: items: type: string type: array title: type: string typeMeta: type: object type: array description: Indicates a successful call. '400': content: application/json: examples: getAllDataViewsBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get all data views tags: - data views x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/data_views" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/data_views x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/data_view: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a data view. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). operationId: createDataViewDefaultw parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: createDataViewRequest: $ref: '#/components/examples/Data_views_create_data_view_request' schema: $ref: '#/components/schemas/Data_views_create_data_view_request_object' required: true responses: '200': content: application/json: examples: createDataViewResponse: $ref: '#/components/examples/Data_views_create_data_view_response' schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: examples: createDataViewBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create a data view tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/data_view" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' - lang: Console source: | POST kbn://api/data_views/data_view {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/data_view/{viewId}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/data_views/data_view/{viewId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a data view by its identifier. WARNING: When you delete a data view, it cannot be recovered. operationId: deleteDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' responses: '204': description: Indicates a successful call. '404': content: application/json: examples: deleteDataViewNotFound: $ref: '#/components/examples/Data_views_error_404_response' schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a data view tags: - data views x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/data_views/data_view/{viewId} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views/data_view/{viewId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single data view by its identifier. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). operationId: getDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getDataViewResponse: $ref: '#/components/examples/Data_views_get_data_view_response' schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '404': content: application/json: examples: getDataViewNotFound: $ref: '#/components/examples/Data_views_error_404_response' schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a data view tags: - data views x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/data_views/data_view/{viewId} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing data view. Only the fields provided in the request body are updated. operationId: updateDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateDataViewRequest: $ref: '#/components/examples/Data_views_update_data_view_request' schema: $ref: '#/components/schemas/Data_views_update_data_view_request_object' required: true responses: '200': content: application/json: examples: updateDataViewResponse: $ref: '#/components/examples/Data_views_get_data_view_response' schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: examples: updateDataViewBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a data view tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"data_view":{"name":"Updated data view name"}}' - lang: Console source: | POST kbn://api/data_views/data_view/{viewId} {"data_view":{"name":"Updated data view name"}} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/data_view/{viewId}/fields: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update field metadata for a data view. Use this endpoint to set custom labels, custom descriptions, and format overrides for individual fields. operationId: updateFieldsMetadataDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateFieldsMetadataRequest: $ref: '#/components/examples/Data_views_update_field_metadata_request' schema: type: object properties: fields: description: The field object. type: object required: - fields required: true responses: '200': content: application/json: examples: updateFieldsMetadataResponse: $ref: '#/components/examples/Data_views_update_field_metadata_response' schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: examples: updateFieldsMetadataBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update field metadata tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' - lang: Console source: | POST kbn://api/data_views/data_view/{viewId}/fields {"fields":{"field_name":{"customLabel":"My custom label"}}} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/data_view/{viewId}/runtime_field: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a runtime field for a data view. Runtime fields are computed at query time using a [Painless script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) and do not require reindexing. If no `script` is provided, the runtime field returns the corresponding value from the document `_source`. operationId: createRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: createRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: examples: createRuntimeFieldResponse: $ref: '#/components/examples/Data_views_create_runtime_field_response' schema: type: object description: Indicates a successful call. summary: Create a runtime field tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - lang: Console source: | POST kbn://api/data_views/data_view/{viewId}/runtime_field {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update a runtime field for a data view. If the runtime field already exists, it is replaced with the new definition. operationId: createUpdateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - description: | The ID of the data view fields you want to update. in: path name: viewId required: true schema: type: string requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: examples: createUpdateRuntimeFieldResponse: $ref: '#/components/examples/Data_views_create_runtime_field_response' schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '400': content: application/json: examples: createUpdateRuntimeFieldBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create or update a runtime field tags: - data views x-codeSamples: - lang: curl source: | curl \ -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - lang: Console source: | PUT kbn://api/data_views/data_view/{viewId}/runtime_field {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a runtime field from a data view. operationId: deleteRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': description: Indicates a successful call. '404': content: application/json: examples: deleteRuntimeFieldNotFound: $ref: '#/components/examples/Data_views_error_404_response' schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a runtime field tags: - data views x-codeSamples: - lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single runtime field by name from a data view. operationId: getRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getRuntimeFieldResponse: $ref: '#/components/examples/Data_views_get_runtime_field_response' schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '404': content: application/json: examples: getRuntimeFieldNotFound: $ref: '#/components/examples/Data_views_error_404_response' schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a runtime field tags: - data views x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing runtime field in a data view. Only the fields provided in the request body are updated. operationId: updateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_update_runtime_field_request' schema: type: object properties: runtimeField: description: | The runtime field definition object. You can update following fields: - `type` - `script` type: object required: - runtimeField required: true responses: '200': description: Indicates a successful call. '400': content: application/json: examples: updateRuntimeFieldBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a runtime field tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - lang: Console source: | POST kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/default: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/data_views/default
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the identifier of the default data view for the current Kibana space. operationId: getDefaultDataViewDefault responses: '200': content: application/json: examples: getDefaultDataViewResponse: $ref: '#/components/examples/Data_views_get_default_data_view_response' schema: type: object properties: data_view_id: type: string description: Indicates a successful call. '400': content: application/json: examples: getDefaultDataViewBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get the default data view tags: - data views x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/data_views/default" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/data_views/default x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/default
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Set the default data view for the current Kibana space. The default data view is used as a fallback when no specific data view is selected. operationId: setDefaultDatailViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: setDefaultDataViewRequest: $ref: '#/components/examples/Data_views_set_default_data_view_request' schema: type: object properties: data_view_id: description: | The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. nullable: true type: string force: default: false description: Update an existing default data view identifier. type: boolean required: - data_view_id required: true responses: '200': content: application/json: examples: setDefaultDataViewResponse: $ref: '#/components/examples/Data_views_set_default_data_view_response' schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: examples: setDefaultDataViewBadRequest: $ref: '#/components/examples/Data_views_error_400_response' schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Set the default data view tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/default" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' - lang: Console source: | POST kbn://api/data_views/default {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/swap_references: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/swap_references
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Swap saved object references from one data view to another. Use this endpoint to update dashboards, visualizations, and other saved objects that reference a data view. WARNING: Misuse can break large numbers of saved objects! Use the [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) endpoint to see which saved objects would be affected before making changes. operationId: swapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: swapDataViewRequest: $ref: '#/components/examples/Data_views_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: examples: swapDataViewResponse: $ref: '#/components/examples/Data_views_swap_data_view_response' schema: type: object properties: deleteStatus: type: object properties: deletePerformed: type: boolean remainingRefs: type: integer result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Swap saved object references tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/swap_references" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' - lang: Console source: | POST kbn://api/data_views/swap_references {"fromId":"abcd-efg","toId":"xyz-123","delete":true} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/data_views/swap_references/_preview: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/data_views/swap_references/_preview
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Preview the effect of swapping saved object references from one data view to another. Returns the list of affected saved objects without making any changes. operationId: previewSwapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: previewSwapDataViewRequest: $ref: '#/components/examples/Data_views_preview_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: examples: previewSwapDataViewResponse: $ref: '#/components/examples/Data_views_preview_swap_data_view_response' schema: type: object properties: result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Preview swap references tags: - data views x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"fromId":"abcd-efg","toId":"xyz-123"}' - lang: Console source: | POST kbn://api/data_views/swap_references/_preview {"fromId":"abcd-efg","toId":"xyz-123"} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/privileges: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieves whether or not the user is authenticated, and the user's Kibana space and index privileges, which determine if the user can create an index for the Elastic Security alerts generated by detection engine rules. operationId: ReadPrivileges responses: '200': content: application/json: examples: success: value: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true has_encryption_key: true index: .alerts-security.alerts-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true is_authenticated: true username: elastic schema: type: object properties: has_encryption_key: type: boolean is_authenticated: type: boolean required: - is_authenticated - has_encryption_key description: Successful response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Returns user privileges for the Kibana space tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/rules: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `DELETE /api/detection_engine/rules?id=` * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: DeleteRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: examples: deletedRule: summary: Response shape after a rule is deleted value: actions: [] created_at: '2020-02-03T11:19:04.259Z' created_by: elastic description: Process started by MS Office program in user folder enabled: false false_positives: [] from: now-4200s id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: event.action:Process* references: [] risk_score: 50 rule_id: process_started_by_ms_office_user_folder severity: low tags: - tag throttle: null to: now type: query updated_at: '2020-02-03T11:19:04.462Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Delete a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `GET /api/detection_engine/rules?id=` * `rule_id` - `GET /api/detection_engine/rules?rule_id=` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: ReadRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: examples: example1: summary: Example response for a retrieved rule value: created_at: '2020-02-03T11:19:04.259Z' created_by: elastic description: Process started by MS Office program in user folder enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-4200s id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: process_started_by_ms_office_user_folder setup: '' severity: low tags: - child process - ms office threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 to: now-300s type: query updated_at: '2020-02-03T11:19:04.462Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: | Indicates a successful call. > info > These fields are under development and their usage or schema may change: execution_summary. summary: Retrieve a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: | **Spaces method and path for this operation:**
patch /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update specific fields of an existing detection rule using the `rule_id` or `id` field. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PatchRule requestBody: content: application/json: examples: example1: summary: Patch query rule value: id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: New name example2: summary: Patch EQL rule value: rule_id: process_started_by_ms_office_program_possible_payload threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 example3: summary: Patch threshold rule value: id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' threshold: cardinality: [] field: [] value: 600 example4: summary: Patch new terms rule value: history_window_start: now-3d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name example5: summary: Patch esql rule value: id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd query: | FROM logs-abc* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) | KEEP event_rate example6: summary: Patch indicator match rule value: id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' example7: summary: Patch machine learning rule value: anomaly_threshold: 50 id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events_ea schema: $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' description: | > info > You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Patch a detection rule tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new detection rule. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. You can create the following types of rules: * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. > info > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: ```json ... "job_id": "linux_anomalous_network_activity_ecs", "job_type": "anomaly_detector", "job_version": "7.7.0", "groups": [ "auditbeat", "process", "siem" ], ... ``` Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: * Slack * Email * PagerDuty * Webhook * Microsoft Teams * IBM Resilient * Jira * ServiceNow ITSM > info > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. For detailed information on Kibana actions and alerting, and additional API calls, see: * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) operationId: CreateRule requestBody: content: application/json: examples: example1: description: Query rule that searches for processes started by MS Office summary: Query rule value: description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE related_integrations: - package: o365 version: ^2.3.2 required_fields: - name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query example2: description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address summary: Threshold rule value: description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection from: now-180s index: - winlogbeat-* interval: 2m name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure required_fields: - name: source.ip type: ip risk_score: 30 rule_id: liv-win-ser-logins severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threshold: field: source.ip value: 20 type: threshold example3: description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. summary: Machine learning rule value: actions: - action_type_id: .slack group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 description: Generates alerts when the job discovers anomalies over 70 enabled: true from: now-6m interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs name: Anomalous Linux network activity note: Shut down the internet. risk_score: 70 rule_id: ml_linux_network_high_threshold setup: This rule requires data coming in from Elastic Defend. severity: high tags: - machine learning - Linux type: machine_learning example4: description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections summary: EQL rule value: description: Unusual rundll32.exe network connection language: eql name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] required_fields: - name: event.type type: keyword - name: process.args type: keyword - name: process.args_count type: long - name: process.entity_id type: keyword - name: process.name type: keyword - name: process.pe.original_file_name type: keyword risk_score: 21 rule_id: eql-outbound-rundll32-connections severity: low tags: - EQL - Windows - rundll32.exe type: eql example5: description: | Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. summary: Indicator match rule value: actions: [] description: Checks for bad IP addresses listed in the ip-threat-list index index: - packetbeat-* name: Bad IP threat match query: destination.ip:* or host.ip:* required_fields: - name: destination.ip type: ip - name: destination.port type: long - name: host.ip type: ip risk_score: 50 severity: medium threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' type: threat_match example6: description: New terms rule that creates alerts a new IP address is detected for a user summary: New terms rule value: description: Detects a user associated with a new IP address history_window_start: now-30d index: - auditbeat* language: kuery name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' required_fields: - name: user.id type: keyword - name: source.ip type: ip risk_score: 21 severity: medium type: new_terms example7: description: esql rule that creates alerts from events that match an Excel parent process summary: Esql rule value: description: Find Excel events enabled: false from: now-360s interval: 5m language: esql name: Find Excel events query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" required_fields: - name: process.parent.name type: keyword risk_score: 21 severity: low tags: [] to: now type: esql example8: description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period summary: Query rule 2 value: alert_suppression: duration: unit: h value: 5 group_by: - process.parent.name missing_fields_strategy: suppress description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query schema: $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' required: true responses: '200': content: application/json: examples: example1: description: Example response for a query rule summary: Query rule response value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Process started by MS Office program - possible payload enabled: false false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 - integration: graphactivitylogs package: azure version: ^1.11.4 required_fields: - ecs: true name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 1 example2: description: Example response for a machine learning job rule summary: Machine learning response value: actions: - action_type_id: .slack frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 created_at: '2020-04-07T14:45:15.679Z' created_by: elastic description: Generates alerts when the job discovers anomalies over 70 enabled: true false_positives: [] from: now-6m id: 83876f66-3a57-4a99-bf37-416494c80f3b immutable: false interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs max_signals: 100 name: Anomalous Linux network activity note: Shut down the internet. references: [] related_integrations: [] required_fields: [] risk_score: 70 rule_id: ml_linux_network_high_threshold setup: '' severity: high status: going to run status_date: '2020-04-07T14:45:21.685Z' tags: - machine learning - Linux threat: [] to: now type: machine_learning updated_at: '2020-04-07T14:45:15.892Z' updated_by: elastic version: 1 example3: description: Example response for a threshold rule summary: Threshold rule response value: actions: [] author: [] created_at: '2020-07-22T10:27:23.486Z' created_by: elastic description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection false_positives: [] from: now-180s id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 immutable: false index: - winlogbeat-* interval: 2m language: kuery max_signals: 100 name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: source.ip type: ip risk_score: 30 risk_score_mapping: [] rule_id: liv-win-ser-logins setup: '' severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threat: [] threshold: field: source.ip value: 20 to: now type: threshold updated_at: '2020-07-22T10:27:23.673Z' updated_by: elastic version: 1 example4: description: Example response for an EQL rule summary: EQL rule response value: author: [] created_at: '2020-10-05T09:06:16.392Z' created_by: elastic description: Unusual rundll32.exe network connection enabled: true exceptions_list: [] false_positives: [] from: now-6m id: 93808cae-b05b-4dc9-8479-73574b50f8b1 immutable: false interval: 5m language: eql max_signals: 100 name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.type type: keyword - ecs: true name: process.args type: keyword - ecs: true name: process.args_count type: long - ecs: true name: process.entity_id type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.pe.original_file_name type: keyword risk_score: 21 risk_score_mapping: [] rule_id: eql-outbound-rundll32-connections setup: '' severity: low severity_mapping: [] tags: - EQL - Windows - rundll32.exe threat: [] throttle: no_actions to: now type: eql updated_at: '2020-10-05T09:06:16.403Z' updated_by: elastic version: 1 example5: description: Example response for an indicator match rule summary: Indicator match rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Checks for bad IP addresses listed in the ip-threat-list index enabled: true exceptions_list: [] false_positives: [] from: now-6m id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 immutable: false index: - packetbeat-* interval: 5m language: kuery max_signals: 100 name: Bad IP threat match query: destination.ip:* or host.ip:* references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: destination.ip type: ip - ecs: true name: destination.port type: long - ecs: true name: host.ip type: ip risk_score: 50 risk_score_mapping: [] rule_id: 608501e4-c768-4f64-9326-cec55b5d439b setup: '' severity: medium severity_mapping: [] tags: [] threat: [] threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' to: now type: threat_match updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example6: description: Example response for a new terms rule summary: New terms rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Detects a user associated with a new IP address enabled: true exceptions_list: [] false_positives: [] from: now-6m history_window_start: now-30d id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 immutable: false index: - auditbeat* interval: 5m language: kuery max_signals: 100 name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: user.id type: keyword - ecs: true name: source.ip type: ip risk_score: 21 risk_score_mapping: [] rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 setup: '' severity: medium severity_mapping: [] tags: [] threat: [] to: now type: new_terms updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example7: description: Example response for an Esql rule summary: Esql rule response value: actions: [] author: [] created_at: '2023-10-18T10:55:14.269Z' created_by: elastic description: Find Excel events enabled: false exceptions_list: [] false_positives: [] from: now-360s id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 immutable: false interval: 5m language: esql max_signals: 100 name: Find Excel events output_index: '' query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.parent.name type: keyword revision: 0 risk_score: 21 risk_score_mapping: [] rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: esql updated_at: '2023-10-18T10:55:14.269Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Create a detection rule tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: UpdateRule requestBody: content: application/json: examples: example1: summary: Update query rule value: description: A new description id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: A new name for the rule risk_score: 22 severity: medium type: query example2: summary: Update EQL rule value: description: eql rule test id: 9b684efb-acf9-4323-9bff-8335b3867d14 index: - apm-*-transaction* language: eql name: New name for EQL rule query: process where process.name == "regsvr32.exe" risk_score: 21 severity: low type: eql example3: summary: Update threshold rule value: description: Description of threat rule test id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 language: kuery name: New name for threat rule query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' risk_score: 21 severity: low tags: - new_tag threshold: cardinality: [] field: [] value: 400 type: threshold example4: summary: Update new terms rule value: description: New description history_window_start: now-7d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 interval: 5m name: New terms rule name new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name query: 'agent.version : "9.1.0"' risk_score: 21 severity: low type: new_terms example5: summary: Update esql rule value: description: New description for esql rule id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd language: esql name: New name for esql rule query: | FROM logs* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ | KEEP event_rate risk_score: 21 severity: low type: esql example6: summary: Update indicator match rule value: description: New description id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd name: New name for Indicator Match rule query: source.ip:* or destination.ip:*\n risk_score: 99 severity: critical threat_index: - filebeat-* - logs-ti_* threat_mapping: - entries: - field: source.ip type: mapping value: threat.indicator.ip - entries: - field: destination.ip type: mapping value: threat.indicator.ip threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' type: threat_match example7: summary: Update machine learning rule value: anomaly_threshold: 50 description: New description of ml rule id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events_ea name: New name of ml rule risk_score: 21 severity: low type: machine_learning schema: $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' description: | > info > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Update a detection rule tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/rules/_bulk_action: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PerformRulesBulkAction parameters: - description: | Enables dry run mode for the request call. Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. > info > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. in: query name: dry_run required: false schema: type: boolean requestBody: content: application/json: examples: example01: description: The following request activates all rules with the test tag. summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' example02: description: The following request enables the rule with the specified ID. summary: Enable - Enable a specific rule by ID. value: action: enable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example03: description: The following request disables the rule with the specified ID. summary: Disable - Disable a specific rule by ID value: action: disable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example04: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: include_exceptions: true include_expired_exceptions: false ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf example05: description: The following request deletes the rule with the specified ID. summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 example06: description: The following request runs the rule with the specified ID within the given date range. summary: Run - Run a specific rule by ID value: action: run ids: - 748694f0-6977-4ea5-8384-cd2e39730779 run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' example07: description: The following request exports the rules with the specified IDs. summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example08: description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true summary: Edit - dry run - Validate add_index_patterns bulk action value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - de8f5af0-0831-11ed-ac8b-05a222bd8d4a example09: description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. summary: Edit - Add a tag to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: - type: delete_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: - type: delete_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: - type: set_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. summary: Edit - Add investigation field to rules value: action: edit edit: - type: add_investigation_fields value: field_names: - alert.status ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: - type: delete_investigation_fields ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba value: - field1 - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: - type: set_investigation_fields value: - field1 - field2 ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: - type: set_timeline value: timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: - type: set_schedule value: interval: 1h lookback: 30m ids: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: - type: add_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: - type: set_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The message body subject: Subject to: address@domain.com ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The content of the message ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: eventAction: trigger severity: critical summary: The message body timestamp: '2023-10-31T00:00:00.000Z' ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example27: description: The following request set alert suppression to the rules with the specified IDs. summary: Edit - Set alert suppression to rules (idempotent) value: action: edit edit: - type: set_alert_suppression value: duration: unit: h value: 1 group_by: - source.ip missing_fields_strategy: suppress ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example28: description: The following request set alert suppression to threshold rules with the specified IDs. summary: Edit - Set alert suppression to threshold rules (idempotent) value: action: edit edit: - type: set_alert_suppression_for_threshold value: duration: unit: h value: 1 ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example29: description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. summary: Edit - Removes alert suppression from rules (idempotent) value: action: edit edit: - type: delete_alert_suppression ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example30: description: The following request triggers the filling of gaps for the specified rule ids and time range summary: Fill Gaps - Manually trigger the filling of gaps for specified rules value: action: fill_gaps ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 164d0918-f720-4c9f-9f5c-c5122587cf19 run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' responses: '200': content: application/json: examples: example01: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. summary: Successful response value: attributes: results: created: [] deleted: [] skipped: - id: 51658332-a15e-4c9e-912a-67214e2e2359 name: Skipped rule skip_reason: RULE_NOT_MODIFIED updated: - anomaly_threshold: 50 author: - Elastic created_at: '2022-02-21T14:14:13.801Z' created_by: elastic description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. from: now-45m id: 8bc7dad0-9320-11ec-9265-8b772383a08d immutable: false interval: 15m license: Elastic License v2 machine_learning_job_id: - packetbeat_dns_tunneling_ea max_signals: 100 name: DNS Tunneling [Duplicate] references: - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem related_integrations: [] required_fields: [] risk_score: 21 risk_score_mapping: [] rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 setup: '' severity: low severity_mapping: [] tags: - Elastic - Network - Threat Detection - ML threat: [] to: now type: machine_learning updated_at: '2022-02-21T17:05:50.883Z' updated_by: elastic version: 6 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 1 success: true example02: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). summary: Partial failure value: value: attributes: errors: - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property rules: - id: 8bc7dad0-9320-11ec-9265-8b772383a08d name: DNS Tunneling [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: - actions: [] author: - Elastic created_at: '2022-02-21T14:14:17.883Z' created_by: elastic description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 8e5c1a40-9320-11ec-9265-8b772383a08d immutable: false index: - apm-*-transaction* - traces-apm* - auditbeat-* - filebeat-* - logs-* - packetbeat-* - winlogbeat-* - added-by-id-* interval: 5m language: kuery license: Elastic License v2 max_signals: 10000 name: External Alerts [Duplicate] query: | event.kind:alert and not event.module:(endgame or endpoint) references: [] related_integrations: [] required_fields: [] risk_score: 47 risk_score_mapping: - field: event.risk_score operator: equals value: '' rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 rule_name_override: message setup: '' severity: medium severity_mapping: - field: event.severity operator: equals severity: low value: '21' - field: event.severity operator: equals severity: medium value: '47' - field: event.severity operator: equals severity: high value: '73' - field: event.severity operator: equals severity: critical value: '99' tags: - Elastic - Network - Windows - APM - macOS - Linux threat: [] timestamp_override: event.ingested to: now type: query updated_at: '2022-02-21T16:56:22.818Z' updated_by: elastic version: 5 summary: failed: 1 skipped: 0 succeeded: 1 total: 2 message: Bulk edit partially failed rules_count: 2 status_code: 500 success: false example03: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. summary: Dry run value: attributes: errors: - err_code: IMMUTABLE message: Elastic rule can't be edited rules: - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 name: Unusual AWS Command for a User status_code: 500 - err_code: MACHINE_LEARNING_INDEX_PATTERN message: Machine learning rule doesn't have index patterns rules: - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a name: Suspicious Powershell Script [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: [] summary: failed: 2 skipped: 0 succeeded: 1 total: 3 message: Bulk edit partially failed status_code: 500 example04: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. summary: Set tags successsully for 2 rules value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: [] author: [] created_at: '2025-03-25T11:46:41.899Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 738112cd-6cfa-414a-8457-2a658845d6ba immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 1 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 1 risk_score: 21 risk_score_mapping: [] rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] to: now type: query updated_at: '2025-03-25T11:47:11.350Z' updated_by: elastic version: 2 - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 2 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 33 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:47:11.357Z' updated_by: elastic version: 24 summary: failed: 0 skipped: 0 succeeded: 2 total: 2 rules_count: 2 success: true example05: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. summary: Idempotent behavior of set_tags value: attributes: results: created: [] deleted: [] skipped: - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b name: Rule 1 skip_reason: RULE_NOT_MODIFIED - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Rule 2 skip_reason: RULE_NOT_MODIFIED updated: [] summary: failed: 0 skipped: 2 succeeded: 0 total: 2 rules_count: 2 success: true example06: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. summary: Idempotent behavior of add_tags value: attributes: results: created: [] deleted: [] skipped: - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Test Rule 2 skip_reason: RULE_NOT_MODIFIED updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 34 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:55:12.752Z' updated_by: elastic version: 25 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 2 success: true example07: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. summary: Non-idempotent behavior for set_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 39 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T12:17:40.528Z' updated_by: elastic version: 30 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true example08: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. summary: Non-idempotent behavior for add_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 0309347e-3954-429c-9168-5da2663389af - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd author: [] created_at: '2025-04-02T12:42:03.400Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Jacek test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 2 risk_score: 21 risk_score_mapping: [] rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: query updated_at: '2025-04-02T12:51:40.215Z' updated_by: elastic version: 2 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' description: OK summary: Apply a bulk action to detection rules tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/rules/_export: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: - Actions - Exception lists > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ExportRules parameters: - description: Determines whether a summary of the exported rules is returned. in: query name: exclude_export_details required: false schema: default: false type: boolean - description: | File name for saving the exported rules. > info > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. in: query name: file_name required: false schema: default: export.ndjson type: string requestBody: content: application/json: examples: exportByRuleIds: summary: Request body to export a subset of rules value: objects: - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d schema: nullable: true type: object properties: objects: description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. items: type: object properties: rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - rule_id type: array required: - objects required: false responses: '200': content: application/ndjson: examples: sampleNdjson: value: | {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} {"exception_list":true} {"export_summary":{"total_rules":1,"exceptions_count":0}} schema: description: | An `.ndjson` file containing the returned rules. Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. format: binary type: string description: Indicates a successful call. summary: Export detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "objects": [ { "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" }, { "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" } ] } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/rules/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/rules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. operationId: FindRules parameters: - description: | List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or use comma-separated values when supported by your client. in: query name: fields required: false schema: items: type: string type: array - description: | Search query Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: - name - enabled - tags - createdBy - interval - updatedBy > info > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_Detections_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Rules per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer - description: Gaps range start in: query name: gaps_range_start required: false schema: type: string - description: Gaps range end in: query name: gaps_range_end required: false schema: type: string - description: Gap fill statuses in: query name: gap_fill_statuses required: false schema: items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array - description: Gap auto fill scheduler ID used to determine gap fill status for rules in: query name: gap_auto_fill_scheduler_id required: false schema: type: string responses: '200': content: application/json: examples: example1: value: data: - created_at: '2020-02-02T10:05:19.613Z' created_by: elastic description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 89761517-fdb0-4223-b67b-7621acc48f9e immutable: true index: - winlogbeat-* interval: 5m language: kuery max_signals: 33 name: Windows Script Executing PowerShell query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.action type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc setup: '' severity: low tags: - Elastic - Windows threat: - framework: MITRE ATT&CK tactic: id: TA0002 name: Execution reference: https://attack.mitre.org/tactics/TA0002/ technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193/ to: now type: query updated_at: '2020-02-02T10:05:19.830Z' updated_by: elastic page: 1 perPage: 5 total: 4 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array page: type: integer perPage: type: integer total: type: integer warnings: items: $ref: '#/components/schemas/Security_Detections_API_WarningSchema' type: array required: - page - perPage - total - data description: | Successful response > info > These fields are under development and their usage or schema may change: execution_summary. summary: List all detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/rules/_import: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: - The `Content-Type: multipart/form-data` HTTP header. - A link to the `.ndjson` file containing the rules. > warn > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. > info > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ImportRules parameters: - description: Determines whether existing rules with the same `rule_id` are overwritten. in: query name: overwrite required: false schema: default: false type: boolean - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. in: query name: overwrite_exceptions required: false schema: default: false type: boolean - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. in: query name: overwrite_action_connectors required: false schema: default: false type: boolean - description: Generates a new list ID for each imported exception list. in: query name: as_new_list required: false schema: default: false type: boolean requestBody: content: multipart/form-data: examples: rulesFile: summary: Multipart part containing a rule export value: file: rules_import.ndjson schema: type: object properties: file: description: The `.ndjson` file containing the rules. format: binary type: string required: true responses: '200': content: application/json: examples: example1: summary: Import rules with success value: errors: [] exceptions_errors: [] exceptions_success: true exceptions_success_count: 0 rules_count: 1 success: true success_count: 1 schema: additionalProperties: false type: object properties: action_connectors_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array action_connectors_success: type: boolean action_connectors_success_count: minimum: 0 type: integer action_connectors_warnings: items: $ref: '#/components/schemas/Security_Detections_API_WarningSchema' type: array errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_success: type: boolean exceptions_success_count: minimum: 0 type: integer rules_count: minimum: 0 type: integer success: type: boolean success_count: minimum: 0 type: integer required: - exceptions_success - exceptions_success_count - exceptions_errors - rules_count - success - success_count - errors - action_connectors_errors - action_connectors_warnings - action_connectors_success - action_connectors_success_count description: Indicates a successful call. summary: Import detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "/api/detection_engine/rules/_import" -u : -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/rules/{id}/exceptions: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create exception items that apply to a single detection rule. operationId: CreateRuleExceptionListItems parameters: - description: Detection rule's identifier examples: id: value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_UUID' requestBody: content: application/json: examples: addItems: value: items: - description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple schema: example: items: - description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple type: object properties: items: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' type: array required: - items description: Rule exception items. required: true responses: '200': content: application/json: examples: ruleExceptionItems: value: - _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array description: Successful response '400': content: application/json: examples: badPayload: value: error: Bad Request message: Invalid request payload JSON format statusCode: 400 badRequest: value: error: Bad Request message: '[request params]: id: Invalid uuid' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create rule exception items tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/rules/preview: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/rules/preview
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. operationId: RulePreview parameters: - description: Enables logging and returning in response ES queries, performed during rule execution in: query name: enable_logged_requests required: false schema: type: boolean requestBody: content: application/json: examples: queryRule: value: description: Find matching events from: now-24h index: - logs-* invocationCount: 1 language: kuery max_signals: 20 name: Rule preview query: 'process.name : *' risk_score: 25 severity: low timeframeEnd: '2025-01-20T12:00:00.000Z' to: now type: query schema: anyOf: - allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' discriminator: propertyName: type description: | Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional `enable_logged_requests` surfaces Elasticsearch request logging for debugging. required: true responses: '200': content: application/json: examples: success: value: isAborted: false logs: - duration: 45 errors: [] requests: [] startedAt: '2025-01-20T10:00:00.000Z' warnings: [] previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 schema: type: object properties: isAborted: type: boolean logs: items: $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' type: array previewId: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - logs description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body].timeframeEnd: expected string, received null' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Preview rule alerts generated on specified time range tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/signals/assignees: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/assignees
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Assign users to detection alerts, and unassign them from alerts. > info > You cannot add and remove the same assignee in the same request. operationId: SetAlertAssignees requestBody: content: application/json: examples: add: $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' remove: $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' schema: $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' description: User profile IDs to add or remove on each listed alert document ID. required: true responses: '200': content: application/json: examples: add: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 76 total: 1 updated: 1 version_conflicts: 0 schema: additionalProperties: true description: Elasticsearch update by query response type: object description: | Indicates a successful call. The body matches an Elasticsearch update-by-query response (for example `took`, `updated`, `failures`). '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body].ids: at least one alert id is required to update assignees' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections statusCode: 403 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Assign and unassign users from detection alerts tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/signals/search: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/search
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Find and/or aggregate detection alerts that match the given query. operationId: SearchAlerts requestBody: content: application/json: examples: query: value: aggs: alertsByGrouping: terms: field: host.name size: 10 missingFields: missing: field: host.name query: bool: filter: - bool: filter: - match_phrase: kibana.alert.workflow_status: open must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] - range: '@timestamp': gte: '2025-01-17T08:00:00.000Z' lte: '2025-01-18T07:59:59.999Z' runtime_mappings: {} size: 0 schema: $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' description: Elasticsearch query and aggregation request description: Search and/or aggregation query required: true responses: '200': content: application/json: examples: success: value: _shards: failed: 0 skipped: 0 successful: 1 total: 1 aggregations: alertsByGrouping: buckets: - doc_count: 5 key: Host-f43kkddfyc doc_count_error_upper_bound: 0 sum_other_doc_count: 0 missingFields: doc_count: 0 hits: hits: [] max_score: null total: relation: eq value: 5 timed_out: false took: 0 schema: additionalProperties: true description: Elasticsearch search response type: object description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: 'Failed to parse search request: unknown query clause in bool filter' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Find and/or aggregate detection alerts tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/signals/status: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Set the status of one or more detection alerts. operationId: SetAlertsStatus requestBody: content: application/json: examples: byId: value: signal_ids: - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 status: closed byQuery: value: conflicts: proceed query: bool: filter: - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null - bool: filter: bool: filter: - match_phrase: kibana.alert.workflow_status: open - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] must: [] must_not: [] should: [] status: closed schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' description: An object containing desired status and explicit alert ids or a query to select alerts required: true responses: '200': content: application/json: examples: byId: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 81 total: 1 updated: 1 version_conflicts: 0 byQuery: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 100 total: 17 updated: 17 version_conflicts: 0 schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body].signal_ids: at least one alert id is required to update status' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Set a detection alert status tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/signals/tags: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/detection_engine/signals/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. > info > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags requestBody: content: application/json: examples: add: $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' remove: $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' schema: $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' description: An object containing tags to add or remove and alert ids the changes will be applied required: true responses: '200': content: application/json: examples: success: value: batches: 1, deleted: 0, failures: [] noops: 0, requests_per_second: '-1,' retries: bulk: 0, search: 0 throttled_millis: 0, throttled_until_millis: 0, timed_out: false, took: 68, total: 1, updated: 1, version_conflicts: 0, schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body].tags: cannot add and remove the same tag in a single request' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Add and remove detection alert tags tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/detection_engine/tags: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/detection_engine/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all unique tags from all detection rules. operationId: ReadTags responses: '200': content: application/json: examples: example1: value: - zeek - suricata - windows - linux - network - initial access - remote access - phishing schema: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' description: Indicates a successful call summary: List all detection rule tags tags: - Security Detections API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint_list: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint_list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. operationId: CreateEndpointList responses: '200': content: application/json: examples: alreadyExists: summary: Endpoint exception list already exists (empty response) value: {} newList: summary: Endpoint exception list created value: created_at: '2025-01-01T00:00:00.000Z' created_by: elastic description: Endpoint Security Exception List id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b immutable: false list_id: endpoint_list name: Endpoint Security Exception List namespace_type: agnostic os_types: [] tags: [] tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e type: endpoint updated_at: '2025-01-01T00:00:00.000Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: expected value of type [object] but got [undefined]' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/endpoint_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an Elastic Endpoint rule exception list tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint_list/items: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. operationId: DeleteEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: examples: deleted: summary: Deleted endpoint exception list item value: comments: [] created_at: '2025-01-01T12:00:00.000Z' created_by: elastic description: Blocks a known malicious file by its hash entries: - field: file.hash.sha256 operator: included type: match value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e item_id: block-malicious-file list_id: endpoint_list name: Block malicious file namespace_type: agnostic os_types: - windows tags: [] tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 type: simple updated_at: '2025-01-01T12:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: Either "item_id" or "id" needs to be defined in the request statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: "block-malicious-file" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Delete an Elastic Endpoint exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. operationId: ReadEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: examples: item: summary: Endpoint exception list item value: comments: [] created_at: '2025-01-01T12:00:00.000Z' created_by: elastic description: Blocks a known malicious file by its hash entries: - field: file.hash.sha256 operator: included type: match value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e item_id: block-malicious-file list_id: endpoint_list name: Block malicious file namespace_type: agnostic os_types: - windows tags: - policy:all tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 type: simple updated_at: '2025-01-01T12:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: id or item_id required statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: "block-malicious-file" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get an Elastic Endpoint rule exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. operationId: CreateEndpointListItem requestBody: content: application/json: examples: matchAny: summary: Exclude multiple process names value: description: Exclude common security tools from endpoint protection entries: - field: process.name operator: included type: match_any value: - scanner.exe - updater.exe name: Trusted security tools os_types: - windows type: simple simpleMatch: summary: Block a specific file hash value: description: Blocks a known malicious file by its hash entries: - field: file.hash.sha256 operator: included type: match value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 name: Block malicious file os_types: - windows tags: - policy:all type: simple schema: type: object properties: comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: examples: created: summary: Endpoint exception list item created value: comments: [] created_at: '2025-01-01T12:00:00.000Z' created_by: elastic description: Blocks a known malicious file by its hash entries: - field: file.hash.sha256 operator: included type: match value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e item_id: block-malicious-file list_id: endpoint_list name: Block malicious file namespace_type: agnostic os_types: - windows tags: - policy:all tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 type: simple updated_at: '2025-01-01T12:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: name: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '409': content: application/json: examples: alreadyExists: value: message: 'exception list item id: "block-malicious-file" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item already exists '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an Elastic Endpoint rule exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. operationId: UpdateEndpointListItem requestBody: content: application/json: examples: updateName: summary: Update an endpoint exception list item value: description: Updated description for the exception entries: - field: file.hash.sha256 operator: included type: match value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 item_id: block-malicious-file name: Block malicious file (updated) os_types: - windows - linux type: simple schema: type: object properties: _version: description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. type: string comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: examples: updated: summary: Endpoint exception list item updated value: comments: [] created_at: '2025-01-01T12:00:00.000Z' created_by: elastic description: Updated description for the exception entries: - field: file.hash.sha256 operator: included type: match value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e item_id: block-malicious-file list_id: endpoint_list name: Block malicious file (updated) namespace_type: agnostic os_types: - windows - linux tags: - policy:all tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 type: simple updated_at: '2025-01-15T09:30:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: name: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: examples: notFound: value: message: 'list item item_id: "block-malicious-file" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Update an Elastic Endpoint rule exception list item tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint_list/items/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint_list/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all Elastic Endpoint exception list items. operationId: FindEndpointListItems parameters: - description: | Filters the returned results according to the value of the specified field, using the `:` syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: The page number to return in: query name: page required: false schema: minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: minimum: 0 type: integer - description: Determines which field is used to sort the results in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc type: string responses: '200': content: application/json: examples: foundItems: summary: Found endpoint exception list items value: data: - comments: [] created_at: '2025-01-01T12:00:00.000Z' created_by: elastic description: Blocks a known malicious file by its hash entries: - field: file.hash.sha256 operator: included type: match value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e item_id: block-malicious-file list_id: endpoint_list name: Block malicious file namespace_type: agnostic os_types: - windows tags: - policy:all tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 type: simple updated_at: '2025-01-01T12:00:00.000Z' updated_by: elastic page: 1 per_page: 20 total: 1 schema: type: object properties: data: description: The list of endpoint exception list items. items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' type: array page: description: The current page number. minimum: 0 type: integer per_page: description: The number of items per page. minimum: 0 type: integer pit: description: The point-in-time ID for pagination. type: string total: description: The total number of endpoint exception list items. minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: page: Expected number, received string' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/endpoint_list/items/_find] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: examples: notFound: value: message: 'list id: "endpoint_list" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list not found '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get Elastic Endpoint exception list items tags: - Security Endpoint Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all response actions. operationId: EndpointGetActionsList parameters: - description: The page number to return. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - description: The number of response actions to return per page. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - description: A list of response action command names to filter by. in: query name: commands required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - description: A list of Elastic Agent IDs to filter the response actions by. in: query name: agentIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - description: A list of user IDs that submitted the response actions. in: query name: userIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - description: A start date in ISO 8601 format or Date Math format (for example, `now-24h`). in: query name: startDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - description: An end date in ISO 8601 format or Date Math format (for example, `now`). in: query name: endDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - description: The agent type to filter response actions by. Defaults to `endpoint`. in: query name: agentTypes required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - description: A list of response action IDs whose outputs should be included in the response. in: query name: withOutputs required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - description: A list of response action types to filter by (`automated`, `manual`). in: query name: types required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json: examples: actionsList: summary: A list of response actions value: data: - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: running-processes completedAt: '2022-08-08T09:50:47.672Z' createdBy: elastic id: b3d6de74-36b0-4fa8-be46-c375bf1771bf isCompleted: true isExpired: false startedAt: '2022-08-08T15:24:57.402Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: isolate completedAt: '2022-08-08T10:41:57.352Z' createdBy: elastic id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 isCompleted: true isExpired: false startedAt: '2022-08-08T15:23:37.359Z' wasSuccessful: true elasticAgentIds: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 endDate: now page: 1 pageSize: 10 startDate: now-24h/h total: 2 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: Indicates a successful call. summary: Get response actions tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status of response actions for the specified agent IDs. operationId: EndpointGetActionsStatus parameters: - description: A list of agent IDs to get the action status for. in: query name: agent_ids required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' responses: '200': content: application/json: examples: actionStatus: summary: Pending response actions per agent value: data: - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 pending_actions: execute: 0 get-file: 0 isolate: 0 kill-process: 1 running-processes: 0 scan: 0 unisolate: 0 upload: 0 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' description: Indicates a successful call. summary: Get response actions status tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/{action_id}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/{action_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a response action using the action ID. operationId: EndpointGetActionsDetails parameters: - description: The ID of the response action to retrieve. in: path name: action_id required: true schema: example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: examples: actionDetails: summary: Details of an isolate response action value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: isolate completedAt: '2022-08-08T10:41:57.352Z' createdBy: elastic id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false startedAt: '2022-08-08T15:23:37.359Z' wasSuccessful: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' description: OK summary: Get action details tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/{action_id}/file/{file_id}: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get information for the specified response action file download. operationId: EndpointFileInfo parameters: - description: The ID of the response action that generated the file. in: path name: action_id required: true schema: type: string - description: | The file identifier is constructed in one of two ways: - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: `{file_id}` = `{action_id}.{agent_id}` - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. in: path name: file_id required: true schema: type: string responses: '200': content: application/json: examples: fileInfo: summary: File information for a response action upload value: data: actionId: 233db9ea-6733-4849-9226-5a7039c7161d agentId: ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint created: '2025-02-26T13:37:30.452Z' id: 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 mimeType: application/zip name: memory_dump.zip size: 1048576 status: READY schema: properties: data: type: object properties: actionId: description: The response action ID. type: string agentId: description: The agent ID that generated the file. type: string agentType: description: The type of agent that generated the file. type: string created: description: The date and time the file was created. format: date-time type: string id: description: The unique file identifier. type: string mimeType: description: The MIME type of the file. type: string name: description: The file name. type: string size: description: The file size in bytes. type: number status: description: The file upload status. enum: - AWAITING_UPLOAD - UPLOADING - READY - UPLOAD_ERROR - DELETED type: string description: Indicates a successful call. summary: Get file information tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/{action_id}/file/{file_id}/download: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. > info > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. operationId: EndpointFileDownload parameters: - description: The ID of the response action that generated the file. in: path name: action_id required: true schema: type: string - description: | The file identifier is constructed in one of two ways: - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: `{file_id}` = `{action_id}.{agent_id}` - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. in: path name: file_id required: true schema: type: string responses: '200': content: application/octet-stream: examples: fileDownload: summary: Password-protected ZIP archive containing the response action file value: binary file content (password-protected .zip) schema: format: binary type: string description: Indicates a successful call. summary: Download a file tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cancel a running or pending response action (Applies only to some agent types). operationId: CancelAction requestBody: content: application/json: examples: MicrosoftDefenderEndpoint: summary: Cancel a response action on a Microsoft Defender for Endpoint host value: agent_type: microsoft_defender_endpoint comment: Cancelling action due to change in requirements endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' required: true responses: '200': content: application/json: examples: CancelSuccess: summary: Cancel action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: microsoft_defender_endpoint command: cancel createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} parameters: id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Cancel a response action tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/execute: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/execute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Run a shell command on an endpoint. operationId: EndpointExecuteAction requestBody: content: application/json: examples: executeCommand: summary: Execute a shell command on an endpoint value: comment: Get list of all files endpoint_ids: - b3d6de74-36b0-4fa8-be46-c375bf1771bf parameters: command: ls -al timeout: 600 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' required: true responses: '200': content: application/json: examples: ExecuteSuccess: summary: Execute action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: execute createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 9f934028-2300-4927-b531-b26376793dc4 isCompleted: false isExpired: false outputs: {} parameters: command: ls -al timeout: 600 startedAt: '2023-07-28T18:43:27.362Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Run a command tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/get_file: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/get_file
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a file from an endpoint. operationId: EndpointGetFileAction requestBody: content: application/json: examples: getFile: summary: Get a specific file from an endpoint value: comment: Get my file endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: path: /usr/my-file.txt schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' required: true responses: '200': content: application/json: examples: GetFileSuccess: summary: Get file action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: get-file createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 isCompleted: false isExpired: false outputs: {} parameters: path: /usr/my-file.txt startedAt: '2023-07-28T19:00:03.911Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Get a file tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/isolate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/isolate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Isolate an endpoint from the network. The endpoint remains isolated until it's released. operationId: EndpointIsolateAction requestBody: content: application/json: examples: multiple_endpoints: summary: Isolates several hosts; includes a comment value: comment: Locked down, pending further investigation endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a single_endpoint: summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 with_case_id: summary: Isolates a single host with a case_id value of 1234 value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Isolating as initial response endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: examples: IsolateSuccess: summary: Isolate action successfully created value: action: 233db9ea-6733-4849-9226-5a7039c7161d data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: isolate createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: Indicates a successful call. summary: Isolate an endpoint tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/kill_process: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/kill_process
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Terminate a running process on an endpoint. operationId: EndpointKillProcessAction requestBody: content: application/json: examples: byEntityId: summary: Terminate a process by entity ID value: comment: Terminating malicious process endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 byPid: summary: Terminate a process by PID value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: pid: 1234 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' required: true responses: '200': content: application/json: examples: KillProcessSuccess: summary: Kill process action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: kill-process createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Terminate a process tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/memory_dump: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/memory_dump
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Generates memory dumps on the targeted host. operationId: EndpointGenerateMemoryDump requestBody: content: application/json: examples: ProcessMemoryDump: summary: Generate a memory dump from the host machine value: agent_type: endpoint comment: Generating memory dump for investigation endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 type: process schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' required: true responses: '200': content: application/json: examples: MemoryDumpSuccessResponse: summary: Memory dump action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: memory-dump createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} parameters: entity_id: abc123 type: process startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Generate a memory dump from the host machine tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/running_procs: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/running_procs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all processes running on an endpoint. operationId: EndpointGetProcessesAction requestBody: content: application/json: examples: singleEndpoint: summary: Get running processes on a single endpoint value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' required: true responses: '200': content: application/json: examples: RunningProcsSuccess: summary: Running processes action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: running-processes createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Get running processes tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/runscript: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/runscript
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Run a script on a host. Currently supported only for some agent types. operationId: RunScriptAction requestBody: content: application/json: examples: Elastic Defend: description: Endpoint runscript to collect logs summary: Run a script against an Elastic Defend agent value: agent_type: endpoint endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 scriptInput: '--path= /usr/log/exec.log' MDE: description: Microsoft Defender Endpoint runscript summary: Run a script against a Microsoft Defender Endpoint agent value: agent_type: microsoft_defender_endpoint endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: args: '-param1 value1 -param2 value2' scriptName: my-script.ps1 SentinelOne: description: SentinelOne runscript summary: Run a script against a SentinelOne agent value: agent_type: sentinel_one endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' required: true responses: '200': content: application/json: examples: RunScriptSuccess: summary: Run script action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: sentinel_one command: runscript createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} parameters: scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Run a script tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/scan: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/scan
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Scan a specific file or directory on an endpoint for malware. operationId: EndpointScanAction requestBody: content: application/json: examples: scanFile: summary: Scan a file on an endpoint value: comment: Scan the file for malware endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: path: /usr/my-file.txt schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' required: true responses: '200': content: application/json: examples: ScanSuccess: summary: Scan action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: scan createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 isCompleted: false isExpired: false outputs: {} parameters: path: /usr/my-file.txt startedAt: '2023-07-28T19:00:03.911Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Scan a file or directory tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/state: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/action/state
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a response actions state, which reports whether encryption is enabled. operationId: EndpointGetActionsState responses: '200': content: application/json: examples: actionsState: summary: Response actions state with encryption enabled value: data: canEncrypt: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' description: OK summary: Get actions state tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/suspend_process: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/suspend_process
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Suspend a running process on an endpoint. operationId: EndpointSuspendProcessAction requestBody: content: application/json: examples: byEntityId: summary: Suspend a process by entity ID value: comment: Suspending suspicious process endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 byPid: summary: Suspend a process by PID value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: pid: 1234 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' required: true responses: '200': content: application/json: examples: SuspendProcessSuccess: summary: Suspend process action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: suspend-process createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Suspend a process tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/unisolate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/unisolate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Release an isolated endpoint, allowing it to rejoin a network. operationId: EndpointUnisolateAction requestBody: content: application/json: examples: multipleHosts: summary: 'Releases several hosts; includes a comment:' value: comment: Benign process identified, releasing group endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a singleHost: summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 withCaseId: summary: Releases hosts with an associated case; includes a comment. value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Remediation complete, restoring network endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: examples: UnisolateSuccess: summary: Unisolate action successfully created value: action: 233db9ea-6733-4849-9226-5a7039c7161d data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: unisolate createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: Indicates a successful call. summary: Release an isolated endpoint tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/action/upload: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/action/upload
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upload a file to an endpoint. operationId: EndpointUploadAction requestBody: content: multipart/form-data: examples: uploadFile: summary: Upload a script file to a specific endpoint value: comment: Pushing remediation script to host endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 file: RWxhc3RpYw== parameters: overwrite: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true responses: '200': content: application/json: examples: UploadSuccess: summary: Upload action successfully created value: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: upload createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: Host-5i6cuc8kdv id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 isCompleted: false isExpired: false outputs: {} parameters: file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 file_name: fix-malware.sh file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a file_size: 69 startedAt: '2023-07-03T15:07:22.837Z' status: pending wasSuccessful: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' description: Indicates a successful call. summary: Upload a file tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/metadata: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/metadata
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all endpoint host metadata. operationId: GetEndpointMetadataList parameters: - description: The page number to return. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - description: The number of endpoints to return per page. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - description: A KQL string to filter the endpoint metadata results. in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - description: A set of host statuses to filter the results by (for example, `healthy`, `updating`). in: query name: hostStatuses required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - description: The field used to sort the results. in: query name: sortField required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - description: The sort order, either `asc` or `desc`. in: query name: sortDirection required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' responses: '200': content: application/json: examples: metadataList: summary: A list of endpoint host metadata value: data: - host_status: healthy last_checkin: '2023-07-04T15:47:57.432Z' metadata: agent: id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 8.10.0 Endpoint: policy: applied: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success status: enrolled host: hostname: WinDev2104Eval os: name: Windows platform: windows version: 20H2 page: 0 pageSize: 10 sortDirection: desc sortField: enrolled_at total: 1 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' description: Indicates a successful call. summary: Get a metadata list tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/metadata/{id}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/metadata/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get host metadata for a specific endpoint. operationId: GetEndpointMetadata parameters: - description: The agent ID of the endpoint. in: path name: id required: true schema: example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string responses: '200': content: application/json: examples: endpointMetadata: summary: Host metadata for a specific endpoint value: host_status: healthy last_checkin: '2023-07-04T15:48:57.360Z' metadata: agent: id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 8.10.0 Endpoint: policy: applied: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success status: enrolled host: hostname: WinDev2104Eval os: name: Windows platform: windows version: 20H2 schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' description: Indicates a successful call. summary: Get metadata tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/policy_response: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/policy_response
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the most recent policy response for an endpoint. operationId: GetPolicyResponse parameters: - description: The agent ID to retrieve the policy response for. in: query name: agentId required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' responses: '200': content: application/json: examples: policyResponse: summary: The most recent policy response for an endpoint value: policy_response: '@timestamp': '2023-07-04T15:48:57.360Z' agent: id: ed518850-681a-4d60-bb98-e22640cae2a8 version: 7.16.0 Endpoint: policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: My endpoint policy status: success version: '3' schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: Indicates a successful call. summary: Get a policy response tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/protection_updates_note/{package_policy_id}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the protection updates note for a package policy. operationId: GetProtectionUpdatesNote parameters: - description: The package policy ID to retrieve the protection updates note for. in: path name: package_policy_id required: true schema: type: string responses: '200': content: application/json: examples: protectionUpdatesNote: summary: The protection updates note for a package policy value: note: Pinned protection updates to 2025-01-01 while validating new signatures. schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: Indicates a successful call. summary: Get a protection updates note tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update the protection updates note for a package policy. operationId: CreateUpdateProtectionUpdatesNote parameters: - description: The package policy ID to create or update the protection updates note for. in: path name: package_policy_id required: true schema: type: string requestBody: content: application/json: examples: setNote: summary: Set a new protection updates note value: note: Pinned protection updates to 2025-01-01 while validating new signatures. schema: type: object properties: note: description: The note content. type: string required: true responses: '200': content: application/json: examples: noteSaved: summary: Protection updates note saved value: note: Pinned protection updates to 2025-01-01 while validating new signatures. schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: Indicates a successful call. summary: Create or update a protection updates note tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/scripts_library: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/scripts_library
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a list of scripts operationId: EndpointScriptLibraryListScripts parameters: - description: Page number of the results to return. Defaults to 1. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - description: Number of results to return per page. Defaults to 10. Max value is 1000. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' - description: The field to sort the results by. Defaults to name. in: query name: sortField required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' - description: The direction to sort the results by. Defaults to asc (ascending). in: query name: sortDirection required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' - description: | A KQL query string to filter the list of scripts. Nearly all fields in the script object are searchable. in: query name: kuery required: false schema: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - example: platform:windows responses: '200': content: application/json: examples: response: summary: List of scripts response example value: data: [] page: 1 pageSize: 10 sortDirection: asc sortField: name total: 100 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' type: array page: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' pageSize: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' sortDirection: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' sortField: $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' total: description: The total number of scripts matching the query type: integer description: List of scripts response summary: Get a list of scripts tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/endpoint/scripts_library
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new script entry by uploading a script file operationId: EndpointScriptLibraryCreateScript requestBody: content: multipart/form-data: examples: CreateArchiveScriptEntry: summary: Create an archive script entry value: description: Collects host data for investigation example: ./collect_host_data.sh --help file: ./collect_host_data.zip fileType: archive instructions: Collects host data for investigation name: Collect host data pathToExecutable: ./bin/collect_host_data.sh platform: - linux - macos requiresInput: false CreateScriptEntry: summary: Create a script entry value: description: Collects host data for investigation example: ./collect_host_data.sh --help file: ./collect_host_data.sh fileType: script instructions: Collects host data for investigation name: Collect host data platform: - linux - macos requiresInput: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody' required: true responses: '200': content: application/json: examples: CreateScriptEntrySuccess: summary: Create a script entry value: data: description: Collects host data for investigation file: ./collect_host_data.sh fileType: script id: 1234567890 instructions: No arguments required name: Collect host data platform: - linux - macos schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' description: Action request was successfully created summary: Create script tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/scripts_library/{script_id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/endpoint/scripts_library/{script_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a script operationId: EndpointScriptLibraryDeleteScript parameters: - description: The ID of the script entry to be deleted. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry to be deleted. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: examples: response: summary: Delete script response example. value: {} schema: type: object description: Delete script response. summary: Delete a script tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/scripts_library/{script_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a script operationId: EndpointScriptLibraryGetOneScript parameters: - description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: examples: UpdateScriptEntrySuccess: summary: Get one script entry success value: data: description: Collects host data for investigation file: ./collect_host_data.sh fileType: script id: 1234567890 instructions: No arguments required name: Collect host data platform: - linux - macos schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' description: Get script response summary: Get script tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/endpoint/scripts_library/{script_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update (full or partial) a script entry operationId: EndpointScriptLibraryPatchUpdateScript parameters: - description: The ID of the script entry to be updated. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry to be updated. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string requestBody: content: multipart/form-data: examples: PatchUpdateScriptEntry: summary: Update script entry instructions value: instructions: ./collect_host_data.sh --help PatchUpdateScriptEntryFromArchiveToScript: summary: Update script entry from an archive to a script value: fileType: script PatchUpdateScriptEntryToArchive: summary: Update script entry to be an archive value: fileType: archive pathToExecutable: ./bin/collect_host_data.sh schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody' required: true responses: '200': content: application/json: examples: UpdateScriptEntrySuccess: summary: Update script entry success value: data: description: Collects host data for investigation file: ./collect_host_data.sh fileType: script id: 1234567890 instructions: No arguments required name: Collect host data platform: - linux - macos schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' description: Action request was successfully updated summary: Update script tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/endpoint/scripts_library/{script_id}/download: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/endpoint/scripts_library/{script_id}/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download a script file operationId: EndpointScriptLibraryDownloadScript parameters: - description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 in: path name: script_id required: true schema: description: The ID of the script entry. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/octet-stream: examples: response: summary: Download script file response example. value: null schema: description: A download stream is returned. format: binary type: string description: Download script file response. summary: Download a script file tags: - Security Endpoint Management API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/engine/delete: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. operationId: DeleteMonitoringEngine parameters: - description: Whether to delete all the privileged user data in: query name: data required: false schema: default: false type: boolean responses: '200': content: application/json: examples: DeleteMonitoringEngineResponse: summary: Engine deleted successfully value: deleted: true schema: type: object properties: deleted: type: boolean required: - deleted description: Successful response summary: Delete the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/engine/disable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. operationId: DisableMonitoringEngine responses: '200': content: application/json: examples: DisableMonitoringEngineResponse: summary: Engine disabled successfully value: status: disabled schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' description: Successful response summary: Disable the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/engine/init: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. operationId: InitMonitoringEngine responses: '200': content: application/json: examples: InitMonitoringEngineResponse: summary: Engine initialized successfully value: status: started schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' description: Successful response '500': content: application/json: examples: InitMonitoringEngineError: summary: Internal server error during engine initialization value: error: message: Failed to initialize monitoring engine status: error schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' description: Internal Server Error summary: Initialize the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/engine/schedule_now: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. operationId: ScheduleMonitoringEngine responses: '200': content: application/json: examples: ScheduleMonitoringEngineResponse: summary: Engine scheduled successfully value: success: true schema: type: object properties: success: description: Indicates the scheduling was successful type: boolean description: Successful response '409': content: application/json: examples: ScheduleMonitoringEngineConflict: summary: Engine is already running value: message: Monitoring engine is already running schema: type: object properties: message: description: Error message indicating the engine is already running type: string description: Conflict - Monitoring engine is already running summary: Schedule the Privilege Monitoring Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/privileges/health: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. operationId: PrivMonHealth responses: '200': content: application/json: examples: PrivMonHealthResponse: summary: Healthy privilege monitoring engine value: status: started users: current_count: 42 max_allowed: 1000 schema: type: object properties: error: type: object properties: message: type: string required: - status status: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' users: description: User statistics for privilege monitoring type: object properties: current_count: description: Current number of privileged users being monitored type: integer max_allowed: description: Maximum number of privileged users allowed to be monitored type: integer required: - current_count - max_allowed required: - status description: Successful response summary: Health check on Privilege Monitoring tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/privileges/privileges: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Check if the current user has all required permissions for Privilege Monitoring operationId: PrivMonPrivileges responses: '200': content: application/json: examples: PrivMonPrivilegesResponse: summary: Privileges check response value: has_all_required: true privileges: elasticsearch: index: .entity_analytics.monitoring.user-default: read: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' description: Successful response summary: Run a privileges check on Privilege Monitoring tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/users: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/users
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates a new privileged user to be monitored by the Privilege Monitoring Engine. operationId: CreatePrivMonUser requestBody: content: application/json: examples: CreatePrivMonUserRequest: summary: Create a monitored user value: entity_analytics_monitoring: labels: - field: department source: api value: IT user: name: john.doe schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' required: true responses: '200': content: application/json: examples: CreatePrivMonUserResponse: summary: Created monitored user value: '@timestamp': '2026-01-28T12:00:00.000Z' entity_analytics_monitoring: labels: - field: department source: api value: IT event: ingested: '2026-01-28T12:00:00.000Z' id: user-abc-123 user: is_privileged: true name: john.doe schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' description: User created successfully summary: Create a new monitored user tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/users/_csv: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. operationId: PrivmonBulkUploadUsersCSV requestBody: content: multipart/form-data: examples: PrivmonBulkUploadUsersCSVRequest: summary: CSV file with privileged users value: file: | username,is_privileged john.doe,true jane.smith,true schema: type: object properties: file: description: The CSV file to upload. format: binary type: string required: - file responses: '200': content: application/json: examples: PrivmonBulkUploadUsersCSVResponse: summary: Bulk upload response with mixed results value: errors: - index: 1 message: Invalid monitored field username: john.doe stats: failedOperations: 1 successfulOperations: 1 totalOperations: 2 uploaded: 2 schema: type: object properties: errors: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' type: array stats: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' required: - errors - stats description: Bulk upload successful '413': description: File too large summary: Upsert multiple monitored users via CSV upload tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/users/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Removes a privileged user from monitoring by their document ID. operationId: DeletePrivMonUser parameters: - description: The document ID of the monitored user to delete in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: DeletePrivMonUserResponse: summary: User deleted successfully value: acknowledged: true message: User deleted successfully schema: type: object properties: acknowledged: description: Indicates if the deletion was successful type: boolean message: description: A message providing additional information about the deletion status type: string required: - success description: User deleted successfully summary: Delete a monitored user tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Updates the details of an existing monitored privileged user by their document ID. operationId: UpdatePrivMonUser parameters: - description: The document ID of the monitored user to update in: path name: id required: true schema: type: string requestBody: content: application/json: examples: UpdatePrivMonUserRequest: summary: Update a monitored user value: entity_analytics_monitoring: labels: - field: department source: api value: Security user: is_privileged: true name: john.doe schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' required: true responses: '200': content: application/json: examples: UpdatePrivMonUserResponse: summary: Updated monitored user value: '@timestamp': '2026-01-28T12:00:00.000Z' entity_analytics_monitoring: labels: - field: department source: api value: Security event: ingested: '2026-01-28T12:00:00.000Z' id: user-abc-123 user: is_privileged: true name: john.doe schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' description: User updated successfully summary: Update a monitored user tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/monitoring/users/list: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/monitoring/users/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. operationId: ListPrivMonUsers parameters: - description: KQL query to filter the list of monitored users in: query name: kql required: false schema: type: string responses: '200': content: application/json: examples: ListPrivMonUsersResponse: summary: List of monitored users value: - '@timestamp': '2026-01-28T12:00:00.000Z' entity_analytics_monitoring: labels: - field: department source: api value: IT event: ingested: '2026-01-28T12:00:00.000Z' id: user-abc-123 user: is_privileged: true name: john.doe - '@timestamp': '2026-01-15T09:00:00.000Z' entity_analytics_monitoring: labels: - field: department source: csv value: Security event: ingested: '2026-01-15T09:00:00.000Z' id: user-def-456 user: is_privileged: true name: jane.smith schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' type: array description: List of monitored users summary: List all monitored users tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/privileged_user_monitoring/pad/install: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. operationId: InstallPrivilegedAccessDetectionPackage responses: '200': content: application/json: examples: InstallPrivilegedAccessDetectionPackageResponse: summary: Package installed successfully value: message: Privileged access detection package installed successfully schema: type: object properties: message: type: string required: - message description: Successful response summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/privileged_user_monitoring/pad/status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. operationId: GetPrivilegedAccessDetectionPackageStatus responses: '200': content: application/json: examples: GetPrivilegedAccessDetectionPackageStatusResponse: summary: Package fully installed and running value: jobs: - description: Detects high-risk login patterns job_id: pad-high-risk-login state: opened - description: Detects privilege escalation events job_id: pad-privilege-escalation state: opened ml_module_setup_status: complete package_installation_status: complete schema: type: object properties: jobs: items: type: object properties: description: type: string job_id: type: string state: enum: - closing - closed - opened - failed - opening type: string required: - job_id - state type: array ml_module_setup_status: enum: - complete - incomplete type: string package_installation_status: enum: - complete - incomplete type: string required: - package_installation_status - ml_module_setup_status - jobs description: Privileged access detection status retrieved summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/watchlists: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. operationId: CreateWatchlist requestBody: content: application/json: examples: CreateWatchlistRequest: summary: Create watchlist request value: description: High risk vendor watchlist managed: false name: High Risk Vendors riskModifier: 1.5 CreateWatchlistWithSourcesRequest: summary: Create watchlist with entity sources value: description: High risk vendor watchlist entitySources: - enabled: true identifierField: user.name indexPattern: my-sync-index name: My User Index Source type: index managed: false name: High Risk Vendors riskModifier: 1.5 schema: type: object properties: description: description: Description of the watchlist type: string entitySources: description: Optional entity sources to create and link to the watchlist items: additionalProperties: false type: object properties: enabled: type: boolean filter: $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' identifierField: description: Field used to query the entity store for index-type sources type: string indexPattern: type: string integrationName: description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. type: string matchers: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' type: array name: type: string queryRule: description: KQL query used to filter data from the provided index patterns type: string range: $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' type: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' required: - type - name type: array managed: description: Indicates if the watchlist is managed by the system type: boolean name: description: Unique name for the watchlist type: string riskModifier: description: Risk score modifier associated with the watchlist maximum: 2 minimum: 0 type: number required: - name - riskModifier required: true responses: '200': content: application/json: examples: CreateWatchlistResponse: summary: Created watchlist value: createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-01-28T12:00:00.000Z' schema: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' - type: object properties: entitySources: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' type: array description: Watchlist created successfully summary: Create a new watchlist tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/watchlists/{id}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/watchlists/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieves the details of an entity analytics watchlist by its unique identifier. operationId: GetWatchlist parameters: - description: Unique ID of the watchlist in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: GetWatchlistResponse: summary: Watchlist details value: createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-02-18T12:00:00.000Z' schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' description: Watchlist details summary: Get a watchlist by ID tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/entity_analytics/watchlists/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. operationId: UpdateWatchlist parameters: - description: The ID of the watchlist to update in: path name: id required: true schema: type: string requestBody: content: application/json: examples: UpdateWatchlistRequest: summary: Update watchlist request value: description: High risk vendor watchlist managed: false name: High Risk Vendors riskModifier: 1.5 schema: type: object properties: description: description: Description of the watchlist type: string managed: description: Indicates if the watchlist is managed by the system type: boolean name: description: Unique name of the watchlist type: string riskModifier: description: Risk score modifier associated with the watchlist maximum: 2 minimum: 0 type: number required: - name - riskModifier required: true responses: '200': content: application/json: examples: UpdateWatchlistResponse: summary: Updated watchlist value: createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-02-18T12:00:00.000Z' schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' description: Watchlist updated successfully summary: Update an existing watchlist tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row with a "type" column (user, host, service, or generic) and one or more ECS identity fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. Matched entities are added to the watchlist and their `entity.attributes.watchlists` field is updated in the entity store. Each row will match up to 10,000 entities. operationId: UploadWatchlistCsv parameters: - description: The ID of the watchlist to add entities to example: high-risk-vendors in: path name: watchlist_id required: true schema: type: string requestBody: content: multipart/form-data: examples: csvUpload: summary: CSV file with user entities value: file: | type,user.name user,john.doe user,jane.smith schema: type: object properties: file: description: The CSV file to upload. format: binary type: string required: - file required: true responses: '200': content: application/json: examples: CsvUploadResponse: summary: CSV upload response with mixed results value: failed: 1 items: - matchedEntities: 1 status: success - error: Invalid entity type matchedEntities: 0 status: failure - matchedEntities: 0 status: unmatched successful: 1 total: 3 unmatched: 1 schema: type: object properties: failed: description: Number of rows that failed to process example: 1 type: integer items: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' type: array successful: description: Number of rows that matched at least one entity example: 1 type: integer total: description: Total number of rows processed example: 3 type: integer unmatched: description: Number of rows that matched no entities example: 1 type: integer required: - successful - failed - total - unmatched - items description: Upload successful '413': description: File too large summary: Upload a CSV file to add entities to a watchlist tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Assigns the provided entities to the specified watchlist using a "manual" source label. The entities must already exist in the entity store. If an entity is already on the watchlist, no new document is created — the "manual" label is added to its existing source labels instead. operationId: AssignWatchlistEntities parameters: - description: The ID of the watchlist to add entities to example: high-risk-vendors in: path name: watchlist_id required: true schema: type: string requestBody: content: application/json: examples: assignEntities: summary: Assign two entities to a watchlist value: euids: - user:john.doe - host:web-01 schema: type: object properties: euids: description: The EUIDs of the entities to assign example: - user:john.doe - host:web-01 items: type: string type: array required: - euids required: true responses: '200': content: application/json: examples: assignEntitiesResponse: summary: Successful assignment of two entities value: failed: 0 items: - euid: user:john.doe status: success - euid: host:web-01 status: not_found not_found: 1 successful: 1 total: 2 schema: type: object properties: failed: description: Number of entities that failed to process example: 0 type: integer items: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' type: array not_found: description: Number of entities not found in the entity store example: 1 type: integer successful: description: Number of entities successfully assigned example: 1 type: integer total: description: Total number of entities processed example: 2 type: integer required: - successful - failed - not_found - total - items description: Assignment successful summary: Manually assign entities to a watchlist tags: - Security Entity Analytics API x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unassigns the provided entities from the specified watchlist. This only removes the "manual" assignment. If the entity is also assigned via other sources (for example, index or integration), it will remain on the watchlist. operationId: UnassignWatchlistEntities parameters: - description: The ID of the watchlist to remove entities from example: high-risk-vendors in: path name: watchlist_id required: true schema: type: string requestBody: content: application/json: examples: unassignEntities: summary: Unassign two entities from a watchlist value: euids: - user:john.doe - host:web-01 schema: type: object properties: euids: description: The EUIDs of the entities to unassign example: - user:john.doe - host:web-01 items: type: string type: array required: - euids required: true responses: '200': content: application/json: examples: unassignEntitiesResponse: summary: Successful unassignment of two entities value: failed: 0 items: - euid: user:john.doe status: success - euid: host:web-01 status: not_found not_found: 1 successful: 1 total: 2 schema: type: object properties: failed: description: Number of entities that failed to process example: 0 type: integer items: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' type: array not_found: description: Number of entities not found in the manual watchlist assignment example: 1 type: integer successful: description: Number of entities successfully unassigned example: 1 type: integer total: description: Total number of entities processed example: 2 type: integer required: - successful - failed - not_found - total - items description: Unassignment successful summary: Manually unassign entities from a watchlist tags: - Security Entity Analytics API x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_analytics/watchlists/list: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_analytics/watchlists/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns a list of all entity analytics watchlists. operationId: ListWatchlists responses: '200': content: application/json: examples: ListWatchlistsResponse: summary: List of watchlists value: - createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-02-18T12:00:00.000Z' - createdAt: '2026-01-10T09:30:00.000Z' description: Privileged user monitoring watchlist id: watchlist-456 managed: true name: Privileged Accounts riskModifier: 2 updatedAt: '2026-02-01T15:45:00.000Z' schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' type: array description: List of watchlists summary: List all watchlists tags: - Security Entity Analytics API x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/enable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_store/enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initialize the entire Entity Store, creating engines for all or specified entity types. operationId: InitEntityStore requestBody: content: application/json: schema: type: object properties: delay: default: 1m description: The delay before the transform will run. pattern: '[smdh]$' type: string docsPerSecond: default: -1 description: The number of documents per second to process. type: integer enrichPolicyExecutionInterval: $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' entityTypes: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. type: integer filter: type: string frequency: default: 1m description: The frequency at which the transform will run. pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 3h description: The amount of time the transform looks back to calculate the aggregations. pattern: '[smdh]$' type: string maxPageSearchSize: default: 500 description: The initial page size to use for the composite aggregation of each checkpoint. type: integer timeout: default: 180s description: The timeout for initializing the aggregating transform. pattern: '[smdh]$' type: string timestampField: default: '@timestamp' description: The field to use as the timestamp. type: string description: Configuration for the entity store initialization. required: true responses: '200': content: application/json: examples: initEntityStoreExample: description: The Entity Store was successfully initialized, creating host and user engines in the installing state. summary: Entity Store initialized with host and user engines value: engines: - delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 24h status: installing timeout: 180s timestampField: '@timestamp' type: host - delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 24h status: installing timeout: 180s timestampField: '@timestamp' type: user succeeded: true schema: type: object properties: engines: description: The engine descriptors created during initialization. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' type: array succeeded: description: Whether the Entity Store was initialized successfully. type: boolean description: Successful response '400': description: Invalid request summary: Initialize the Entity Store tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/engines: delete: operationId: DeleteEntityEngines parameters: - description: The entity type of the engine ('user', 'host', 'service', 'generic'). examples: hostAndService: value: host,service in: query name: entityTypes required: false schema: description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array - description: Control flag to also delete the entity data. in: query name: delete_data required: false schema: type: boolean responses: '200': content: application/json: examples: deleteEntityEnginesExample: description: Example response after deleting 'host' engine value: deleted: - host still_running: - generic - user - service schema: type: object properties: deleted: description: Entity types whose engines were successfully deleted. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array still_running: description: Entity types whose engines are still running. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array description: Successful response summary: Delete Entity Engines tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/entity_store/engines
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_store/engines
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all installed entity engines and their current status. operationId: ListEntityEngines responses: '200': content: application/json: examples: listEntityEnginesExample: description: Returns a list with one running host engine and one stopped user engine. summary: Two engines installed value: count: 2 engines: - delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 24h status: started timeout: 180s timestampField: '@timestamp' type: host - delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 24h status: stopped timeout: 180s timestampField: '@timestamp' type: user schema: type: object properties: count: description: The total number of entity engines. type: integer engines: description: An array of engine descriptors. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' type: array description: Successful response summary: List the Entity Engines tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/engines/{entityType}: delete: operationId: DeleteEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). examples: host: value: host in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - description: Control flag to also delete the entity data. in: query name: delete_data required: false schema: type: boolean - deprecated: true description: Control flag to also delete the entity data. in: query name: data required: false schema: type: boolean responses: '200': content: application/json: examples: deleteEntityEngineExample: description: Example response after deleting 'host' engine value: deleted: true schema: type: object properties: deleted: description: Whether the engine was successfully deleted. type: boolean description: Successful response summary: Delete the Entity Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/entity_store/engines/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_store/engines/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the engine descriptor for a specific entity type, including its configuration and current status. operationId: GetEntityEngine parameters: - description: The entity type of the engine. example: host in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: examples: getEntityEngineExample: description: Returns the engine descriptor for a host engine that is currently running with default settings. summary: A running host engine value: delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 24h status: started timeout: 180s timestampField: '@timestamp' type: host schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' description: Successful response summary: Get an Entity Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/engines/{entityType}/init: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_store/engines/{entityType}/init
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initialize a single entity engine for the specified entity type. operationId: InitEntityEngine parameters: - description: The entity type of the engine. in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json: schema: type: object properties: delay: default: 1m description: The delay before the transform will run. pattern: '[smdh]$' type: string docsPerSecond: default: -1 description: The number of documents per second to process. type: integer enrichPolicyExecutionInterval: $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. type: integer filter: type: string frequency: default: 1m description: The frequency at which the transform will run. pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 3h description: The amount of time the transform looks back to calculate the aggregations. pattern: '[smdh]$' type: string maxPageSearchSize: default: 500 description: The initial page size to use for the composite aggregation of each checkpoint. type: integer timeout: default: 180s description: The timeout for initializing the aggregating transform. pattern: '[smdh]$' type: string timestampField: default: '@timestamp' description: The field to use as the timestamp for the entity type. type: string description: Schema for the engine initialization required: true responses: '200': content: application/json: examples: initEntityEngineExample: description: A host engine was successfully initialized and is now in the installing state. summary: Host engine initialized value: delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 3h status: installing timeout: 180s timestampField: '@timestamp' type: host schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' description: Successful response '400': description: Invalid request summary: Initialize an Entity Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/engines/{entityType}/start: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_store/engines/{entityType}/start
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Start a previously stopped entity engine, resuming transform processing for the given entity type. operationId: StartEntityEngine parameters: - description: The entity type of the engine to start. example: host in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: examples: startEntityEngineExample: description: The engine was successfully started and is now processing data. summary: Engine started successfully value: started: true schema: type: object properties: started: description: Whether the engine was successfully started. type: boolean description: Successful response summary: Start an Entity Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/engines/{entityType}/stop: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Stop a running entity engine, pausing transform processing for the given entity type. operationId: StopEntityEngine parameters: - description: The entity type of the engine to stop. example: host in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: examples: stopEntityEngineExample: description: The engine was successfully stopped and is no longer processing data. summary: Engine stopped successfully value: stopped: true schema: type: object properties: stopped: description: Whether the engine was successfully stopped. type: boolean description: Successful response summary: Stop an Entity Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/engines/apply_dataview_indices: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. operationId: ApplyEntityEngineDataviewIndices responses: '200': content: application/json: examples: applyDataviewIndicesExample: description: All running engines were successfully updated with the current data view index patterns. summary: All engines updated value: result: - changes: indexPatterns: - logs-* - filebeat-* - auditbeat-* type: host - changes: indexPatterns: - logs-* - filebeat-* - auditbeat-* type: user success: true schema: type: object properties: result: description: Per-engine update results. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array success: description: Whether all engines updated successfully. type: boolean description: Successful response '207': content: application/json: examples: partialSuccessExample: description: The host engine was updated but the user engine failed due to insufficient privileges. summary: One engine failed value: errors: - 'Failed to update user engine: insufficient privileges' result: - changes: indexPatterns: - logs-* - filebeat-* type: host success: false schema: type: object properties: errors: description: Error messages for engines that failed to update. items: type: string type: array result: description: Per-engine update results for engines that succeeded. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array success: description: Always `false` for a partial success. type: boolean description: Partial successful response '500': content: application/json: examples: serverErrorExample: description: An unexpected error occurred while applying data view indices. summary: Internal server error value: body: An internal error occurred while updating engine indices statusCode: 500 schema: type: object properties: body: description: Error message. type: string statusCode: description: HTTP status code. type: number description: Error response summary: Apply DataView indices to all installed engines tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/entities/{entityType}: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/entity_store/entities/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a single entity in Entity Store. The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. operationId: DeleteSingleEntity parameters: - example: user in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json: schema: type: object properties: id: description: Identifier of the entity to be deleted, commonly entity.id value. example: arn:aws:iam::123456789012:user/jane.doe type: string required: - id description: Schema for the deleting entity required: true responses: '200': content: application/json: examples: deleteEntityExample: description: The entity was found and successfully removed from the latest index. summary: Entity deleted value: deleted: true schema: type: object properties: deleted: description: Whether the entity was successfully deleted. type: boolean description: Successful response. Entity deleted. '404': description: Entity Not Found. No entity with this ID and Type exists. '503': description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled summary: Delete an entity in Entity Store tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/entity_store/entities/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update or create an entity in Entity Store. If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. operationId: UpsertEntity parameters: - example: user in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - description: When true, allows updating protected fields. in: query name: force required: false schema: default: false type: boolean requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' description: Schema for the updating a single entity required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' description: Entity updated or created '403': description: Operation on a restricted field '409': description: Conflict. The entity was updated while another update was happening in ElasticSearch '503': description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled summary: Upsert an entity in Entity Store tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/entities/bulk: put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/entity_store/entities/bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update or create many entities in Entity Store. If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. operationId: UpsertEntitiesBulk parameters: - description: When true, allows updating protected fields. in: query name: force required: false schema: default: false type: boolean requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' description: Schema for the updating many entities required: true responses: '200': description: Entities updated or created '403': description: Operation on a restricted field '503': description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled summary: Upsert many entities in Entity Store tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/entities/list: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_store/entities/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List entities records, paging, sorting and filtering as needed. operationId: ListEntities parameters: - description: Field to sort results by. example: entity.name in: query name: sort_field required: false schema: type: string - description: Sort order. in: query name: sort_order required: false schema: enum: - asc - desc type: string - description: Page number to return (1-indexed). example: 1 in: query name: page required: false schema: minimum: 1 type: integer - description: Number of entities per page. example: 10 in: query name: per_page required: false schema: maximum: 10000 minimum: 1 type: integer - description: An ES query to filter by. in: query name: filterQuery required: false schema: type: string - description: Entity types to include in the results. in: query name: entity_types required: true schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array responses: '200': content: application/json: schema: type: object properties: inspect: $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' page: description: Current page number. minimum: 1 type: integer per_page: description: Number of entities per page. maximum: 1000 minimum: 1 type: integer records: description: The entity records for this page. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' type: array total: description: Total number of entities matching the query. minimum: 0 type: integer required: - records - page - per_page - total description: Entities returned successfully summary: List Entity Store Entities tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/entity_store/status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/entity_store/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. operationId: GetEntityStoreStatus parameters: - description: If true, returns a detailed status of each engine including all its components. example: true in: query name: include_components schema: type: boolean responses: '200': content: application/json: examples: entityStoreRunning: description: The Entity Store is running with both host and user engines started and using default settings. summary: Entity Store running with two engines value: engines: - delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 24h status: started timeout: 180s timestampField: '@timestamp' type: host - delay: 1m fieldHistoryLength: 10 frequency: 1m indexPattern: '' lookbackPeriod: 24h status: started timeout: 180s timestampField: '@timestamp' type: user status: running schema: type: object properties: engines: description: Per-engine status information. items: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - type: object properties: components: description: Detailed component-level status. Only included when include_components is true. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' type: array type: array status: $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' description: The overall status of the Entity Store. required: - status - engines description: Successful response summary: Get the status of the Entity Store tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an exception list using the `id` or `list_id` field. operationId: DeleteExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. examples: autogeneratedId: value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 list_id: value: simple_list in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - description: | `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the list you are removing when using `list_id` or `id`. examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an exception list using the `id` or `list_id` field. operationId: ReadExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - description: | When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionType: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list details tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateExceptionList requestBody: content: application/json: examples: createDetection: value: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: detection schema: example: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: detection type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' default: 1 required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: autogeneratedListId: value: _version: WzMsMV0= created_at: '2025-01-09T01:05:23.019Z' created_by: elastic description: This is a sample detection type exception with an autogenerated list_id. id: 28243c2f-624a-4443-823d-c0b894880931 immutable: false list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 type: detection updated_at: '2025-01-09T01:05:23.020Z' updated_by: elastic version: 1 namespaceAgnostic: value: _version: WzUsMV0= created_at: '2025-01-09T01:10:36.369Z' created_by: elastic description: This is a sample agnostic endpoint type exception. id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 immutable: false list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 name: Sample Agnostic Endpoint Exception List namespace_type: agnostic os_types: - linux tags: - malware tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 type: endpoint updated_at: '2025-01-09T01:10:36.369Z' updated_by: elastic version: 1 typeDetection: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 typeEndpoint: value: _version: WzQsMV0= created_at: '2025-01-09T01:07:49.658Z' created_by: elastic description: This is a sample endpoint type exception list. id: a79f4730-6e32-4278-abfc-349c0add7d54 immutable: false list_id: endpoint_list name: Sample Endpoint Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee type: endpoint updated_at: '2025-01-09T01:07:49.658Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an exception list using the `id` or `list_id` field. operationId: UpdateExceptionList requestBody: content: application/json: examples: fullReplace: value: description: Different description list_id: simple_list name: Updated exception list name os_types: - linux tags: - draft - malware type: detection schema: example: description: Different description list_id: simple_list name: Updated exception list name os_types: - linux tags: - draft malware type: detection type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: simpleList: value: _version: WzExLDFd created_at: '2025-01-07T20:43:55.264Z' created_by: elastic description: Different description id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 immutable: false list_id: simple_list name: Updated exception list name namespace_type: single os_types: [] tags: - draft malware tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f type: detection updated_at: '2025-01-07T21:32:03.726Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists/_duplicate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/_duplicate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - description: The `list_id` of the existing exception list to copy (source list). in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' example: true type: string responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzExNDY1LDFd created_at: '2025-01-09T16:19:50.280Z' created_by: elastic description: This is a sample detection type exception id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 immutable: false list_id: d6390d60-bce3-4a48-9002-52db600f329c name: Sample Detection Exception List [Duplicate] namespace_type: single os_types: [] tags: - malware tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 type: detection updated_at: '2025-01-09T16:19:50.280Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Exception list not found '405': content: application/json: examples: notAllowed: value: message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' status_code: 405 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list to duplicate not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Duplicate an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. in: query name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - description: | `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. example: true in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' type: string responses: '200': content: application/ndjson: examples: exportSavedObjectsResponse: value: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} schema: description: A `.ndjson` file containing specified exception list and its items format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: list_id: Required, namespace_type: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Export an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all exception list containers. operationId: FindExceptionLists parameters: - description: | Filters the returned results according to the value of the specified field. Uses the `so type.field name:field` value syntax, where `so type` can be: - `exception-list`: Specify a space-aware exception list. - `exception-list-agnostic`: Specify an exception list that is shared across spaces. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 1 type: integer - description: The number of exception lists to return per page in: query name: per_page required: false schema: example: 20 minimum: 1 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name type: string - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleLists: value: data: - _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception lists tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists/_import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import an exception list and its associated items from an NDJSON file. operationId: ImportExceptionList parameters: - description: | Determines whether existing exception lists with the same `list_id` are overwritten. If any exception items have the same `item_id`, those are also overwritten. in: query name: overwrite required: false schema: default: false example: false type: boolean - description: | Determines whether the list being imported will have a new `list_id` generated. Additional `item_id`'s are generated for each exception item. Both the exception list and its items are overwritten. in: query name: as_new_list required: false schema: default: false example: false type: boolean requestBody: content: multipart/form-data: examples: ndjsonUpload: value: file: exception_lists.ndjson schema: type: object properties: file: description: A `.ndjson` file containing the exception list example: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} format: binary type: string required: true responses: '200': content: application/json: examples: withErrors: value: errors: - error: message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' status_code: 400 list_id: (unknown list_id) - error: message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' status_code: 409 item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee success: false, success_count: 0, success_count_exception_list_items: 0 success_count_exception_lists: 0, success_exception_list_items: false, success_exception_lists: false, withoutErrors: value: errors: [] success: true success_count: 2 success_count_exception_list_items: 1 success_count_exception_lists: 1 success_exception_list_items: true success_exception_lists: true, schema: type: object properties: errors: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' success: type: boolean success_count: minimum: 0 type: integer success_count_exception_list_items: minimum: 0 type: integer success_count_exception_lists: minimum: 0 type: integer success_exception_list_items: type: boolean success_exception_lists: type: boolean required: - errors - success - success_count - success_exception_lists - success_count_exception_lists - success_exception_list_items - success_count_exception_list_items description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: Multipart part `file` is required and must contain a valid .ndjson exception list export statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Import an exception list tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists/items: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an exception list item using the `id` or `item_id` field. operationId: DeleteExceptionListItem parameters: - description: Exception item's identifier. Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - description: | `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleExceptionItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an exception list item using the `id` or `item_id` field. operationId: ReadExceptionListItem parameters: - description: Exception list item's identifier. Either `id` or `item_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - description: | `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must match how the list was created. examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an exception item and associate it with the specified exception list. > info > Before creating exception items, you must create an exception list. operationId: CreateExceptionListItem requestBody: content: application/json: examples: simpleItem: value: description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' description: Exception list item's properties required: true responses: '200': content: application/json: examples: autogeneratedItemId: value: _version: WzYsMV0= comments: [] created_at: '2025-01-09T01:16:23.322Z' created_by: elastic description: This is a sample exception that has no item_id so it is autogenerated. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 323faa75-c657-4fa0-9084-8827612c207b item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Autogenerated Exception List Item ID namespace_type: single os_types: [] tags: - malware tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 type: simple updated_at: '2025-01-09T01:16:23.322Z' updated_by: elastic detectionExceptionListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withExistEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchAnyEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: included type: match value: Elastic N.V. id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withNestedEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - entries: - field: signer operator: included type: match value: Evil - field: trusted operator: included type: match value: true field: file.signature type: nested id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withValueListEntry: value: _version: WzcsMV0= comments: [] created_at: '2025-01-09T01:31:12.614Z' created_by: elastic description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list entries: - field: source.ip list: id: goodguys.txt type: ip operator: excluded type: list id: deb26876-297d-4677-8a1f-35467d2f1c4f item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Filter out good guys ip and agent.name rock01 namespace_type: single os_types: [] tags: - malware tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 type: simple updated_at: '2025-01-09T01:31:12.614Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request body]: list_id: Expected string, received number' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list item id: \"simple_list_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an exception list item using the `id` or `item_id` field. operationId: UpdateExceptionListItem requestBody: content: application/json: examples: updateItem: value: description: Updated description id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 name: Updated name namespace_type: single type: simple schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' description: Exception list item's properties required: true responses: '200': content: application/json: examples: simpleListItem: value: _version: WzEyLDFd comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: Updated description entries: - field: host.name operator: included type: match value: rock01 id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Updated name namespace_type: single os_types: [] tags: [] tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:34:50.233Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: item_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list item tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists/items/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all exception list items in the specified list. operationId: FindExceptionListItems parameters: - description: The `list_id`s of the items to fetch. in: query name: list_id required: true schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' type: array - description: | Filters the returned results according to the value of the specified field, using the `:` syntax. examples: singleFilter: value: - exception-list.attributes.name:%My%20item in: query name: filter required: false schema: default: [] items: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' type: array - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: single: value: - single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - description: | Free-text search term applied to exception list item fields (for example a hostname or file path fragment). in: query name: search required: false schema: example: host.name type: string - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: example: 20 minimum: 0 type: integer - description: Determines which field is used to sort the results. example: name in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleListItems: value: data: - _version: WzgsMV0= comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: This is a sample exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - jupiter - saturn id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:12:25.512Z' updated_by: elastic page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer pit: type: string total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list items tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exception_lists/summary: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/exception_lists/summary
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a summary of the specified exception list. operationId: ReadExceptionListSummary parameters: - description: Exception list's identifier generated upon creation. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Exception list's human readable identifier. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - description: | `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must line up with `id` / `list_id` used to look up the list. examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single - description: Search filter clause in: query name: filter required: false schema: example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" type: string responses: '200': content: application/json: examples: summary: value: linux: 0 macos: 0 total: 0 windows: 0 schema: type: object properties: linux: minimum: 0 type: integer macos: minimum: 0 type: integer total: minimum: 0 type: integer windows: minimum: 0 type: integer description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list summary tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/exceptions/shared: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/exceptions/shared
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateSharedExceptionList requestBody: content: application/json: examples: createSharedExceptionList: value: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware schema: type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' required: - name - description required: true responses: '200': content: application/json: examples: sharedList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create a shared exception list tags: - Security Exceptions API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_download_sources: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_download_sources
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. operationId: get-fleet-agent-download-sources parameters: [] responses: '200': content: application/json: examples: getDownloadSourcesExample: description: List of agent binary download sources value: items: - host: https://artifacts.elastic.co/downloads/ id: download-source-id-1 is_default: true name: Elastic Artifacts page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent binary download sources tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_download_sources
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDownloadSourceRequestExample: description: Create a new agent binary download source value: host: https://my-custom-host.example.com/downloads/ is_default: false name: My custom download source schema: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - name - host responses: '200': content: application/json: examples: postDownloadSourceExample: description: The created agent binary download source value: item: host: https://my-custom-host.example.com/downloads/ id: download-source-id-2 is_default: false name: My custom download source schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_download_sources/{sourceId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the download source in: path name: sourceId required: true schema: type: string responses: '200': content: application/json: examples: deleteDownloadSourceExample: description: The download source was successfully deleted value: id: download-source-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No download source was found with the given ID value: error: Not Found message: Agent binary source download-source-id-1 not found statusCode: 404 description: Not Found summary: Delete an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. operationId: get-fleet-agent-download-sources-sourceid parameters: - description: The ID of the download source in: path name: sourceId required: true schema: type: string responses: '200': content: application/json: examples: getDownloadSourceExample: description: An agent binary download source value: item: host: https://artifacts.elastic.co/downloads/ id: download-source-id-1 is_default: true name: Elastic Artifacts schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No download source was found with the given ID value: error: Not Found message: Agent binary source download-source-id-1 not found statusCode: 404 description: Not Found summary: Get an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the download source in: path name: sourceId required: true schema: type: string requestBody: content: application/json: examples: putDownloadSourceRequestExample: description: Update an agent binary download source value: host: https://updated-host.example.com/downloads/ is_default: false name: Updated download source schema: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - name - host responses: '200': content: application/json: examples: putDownloadSourceExample: description: The updated agent binary download source value: item: host: https://updated-host.example.com/downloads/ id: download-source-id-1 is_default: false name: Updated download source schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: auth: additionalProperties: false nullable: true type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string required: - id - name - host required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No download source was found with the given ID value: error: Not Found message: Download source download-source-id-1 not found statusCode: 404 description: Not Found summary: Update an agent binary download source tags: - Elastic Agent binary download sources x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. operationId: get-fleet-agent-policies parameters: - description: Page number in: query name: page required: false schema: type: number - description: Number of results per page in: query name: perPage required: false schema: type: number - description: Field to sort results by in: query name: sortField required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: enum: - desc - asc type: string - description: When true, only show policies with upgradeable agents in: query name: showUpgradeable required: false schema: type: boolean - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: use withAgentCount instead in: query name: noAgentCount required: false schema: deprecated: true type: boolean - description: get policies with agent count in: query name: withAgentCount required: false schema: type: boolean - description: get full policies with package policies populated in: query name: full required: false schema: type: boolean - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: examples: getAgentPoliciesExample: description: List of agent policies value: items: - description: A sample agent policy id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Whether to add the system integration to the new agent policy in: query name: sys_monitoring required: false schema: type: boolean requestBody: content: application/json: examples: postAgentPolicyRequestExample: description: Create a new agent policy value: description: A sample agent policy monitoring_enabled: - logs - metrics name: My agent policy namespace: default schema: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string force: type: boolean global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_protected: type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array space_ids: items: type: string maxItems: 100 type: array supports_agentless: default: false deprecated: true description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number required: - name - namespace responses: '200': content: application/json: examples: postAgentPolicyExample: description: The created agent policy value: item: description: A sample agent policy id: agent-policy-id-2 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/_bulk_get: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postBulkGetAgentPoliciesRequestExample: description: Retrieve multiple agent policies by ID value: ids: - agent-policy-id-1 - agent-policy-id-2 schema: additionalProperties: false type: object properties: full: description: get full policies with package policies populated type: boolean ids: description: list of package policy ids items: type: string maxItems: 1000 type: array ignoreMissing: type: boolean required: - ids responses: '200': content: application/json: examples: postBulkGetAgentPoliciesExample: description: The requested agent policies value: items: - id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: One or more agent policies were not found value: error: Not Found message: An error message describing what went wrong statusCode: 404 description: Not Found summary: Bulk get agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/{agentPolicyId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. operationId: get-fleet-agent-policies-agentpolicyid parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: examples: getAgentPolicyExample: description: An agent policy value: item: description: A sample agent policy id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 description: Not Found summary: Get an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: putAgentPolicyRequestExample: description: Update an agent policy value: description: An updated agent policy description monitoring_enabled: - logs name: Updated agent policy namespace: default schema: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string bumpRevision: type: boolean data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string force: type: boolean global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_protected: type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array space_ids: items: type: string maxItems: 100 type: array supports_agentless: default: false deprecated: true description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number required: - name - namespace responses: '200': content: application/json: examples: putAgentPolicyExample: description: The updated agent policy value: item: description: An updated agent policy description id: agent-policy-id-1 is_managed: false is_protected: false name: Updated agent policy namespace: default revision: 2 status: active updated_at: '2024-01-15T11:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string responses: '200': content: application/json: examples: getAutoUpgradeAgentsStatusExample: description: Auto-upgrade status for agents in the policy value: agentsCount: 5 currentVersion: 8.16.0 failedAgentsCount: 0 upgradedAgentsCount: 3 upgradingAgentsCount: 1 schema: additionalProperties: false type: object properties: currentVersions: items: additionalProperties: false type: object properties: agents: description: Number of agents that upgraded to this version type: number failedUpgradeActionIds: description: List of action IDs related to failed upgrades items: type: string maxItems: 1000 type: array failedUpgradeAgents: description: Number of agents that failed to upgrade to this version type: number inProgressUpgradeActionIds: description: List of action IDs related to in-progress upgrades items: type: string maxItems: 1000 type: array inProgressUpgradeAgents: description: Number of agents that are upgrading to this version type: number version: description: Agent version type: string required: - version - agents - failedUpgradeAgents - inProgressUpgradeAgents maxItems: 10000 type: array totalAgents: type: number required: - currentVersions - totalAgents description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get auto upgrade agent status tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/{agentPolicyId}/copy: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postCopyAgentPolicyRequestExample: description: Copy an agent policy with a new name value: description: A copy of the original agent policy name: Copy of my agent policy schema: additionalProperties: false type: object properties: description: type: string name: minLength: 1 type: string required: - name responses: '200': content: application/json: examples: postCopyAgentPolicyExample: description: The copied agent policy value: item: description: A copy of the original agent policy id: agent-policy-id-copy-1 is_managed: false is_protected: false name: Copy of my agent policy namespace: default revision: 1 status: active updated_at: '2024-01-15T11:00:00.000Z' updated_by: user1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_features_disable_policy_change_acks_enabled: nullable: true agent_internal: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_monitoring_runtime_experimental: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled maxItems: 100 type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: enum: - aws - azure - gcp type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number agents_per_version: items: additionalProperties: false type: object properties: count: type: number version: type: string required: - version - count maxItems: 1000 type: array created_at: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fips_agents: type: number fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value maxItems: 100 type: array has_agent_version_conditions: type: boolean has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean is_verifier: description: Indicates this is a short-lived verifier policy used for OTel permission verification. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean min_agent_version: nullable: true type: string monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string maxItems: 3 type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: nullable: true description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_agent_version_conditions: items: additionalProperties: false type: object properties: name: type: string title: type: string version_condition: type: string required: - name - title - version_condition maxItems: 1000 nullable: true type: array package_policies: anyOf: - items: type: string maxItems: 10000 type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage maxItems: 100 nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string maxItems: 100 type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_protected - status - updated_at - updated_by - revision required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Copy an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/{agentPolicyId}/download: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: If true, returns the policy as a downloadable file in: query name: download required: false schema: type: boolean - description: If true, returns the policy formatted for standalone agents in: query name: standalone required: false schema: type: boolean - description: If true, returns the policy formatted for Kubernetes deployment in: query name: kubernetes required: false schema: type: boolean - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. in: query name: revision required: false schema: type: number responses: '200': content: application/json: examples: getDownloadAgentPolicyExample: description: The agent policy download response value: item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' schema: type: string description: Successful response — returns the agent policy as a YAML file download '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Download an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/{agentPolicyId}/full: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - description: If true, returns the policy as a downloadable file in: query name: download required: false schema: type: boolean - description: If true, returns the policy formatted for standalone agents in: query name: standalone required: false schema: type: boolean - description: If true, returns the policy formatted for Kubernetes deployment in: query name: kubernetes required: false schema: type: boolean - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. in: query name: revision required: false schema: type: number responses: '200': content: application/json: examples: getFullAgentPolicyExample: description: The full agent policy configuration value: item: agent: monitoring: logs: true metrics: true id: agent-policy-id-1 inputs: [] outputs: default: hosts: - https://elasticsearch.example.com:9200 type: elasticsearch revision: 1 schema: additionalProperties: false type: object properties: item: anyOf: - type: string - additionalProperties: false type: object properties: agent: additionalProperties: false type: object properties: download: additionalProperties: false type: object properties: auth: additionalProperties: false type: object properties: api_key: type: string headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array password: type: string username: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object proxy_url: type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: additionalProperties: true type: object properties: id: type: string required: - key sourceURI: type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string renegotiation: type: string verification_mode: type: string target_directory: type: string timeout: type: string required: - sourceURI features: additionalProperties: additionalProperties: false type: object properties: enabled: type: boolean required: - enabled type: object internal: nullable: true limits: additionalProperties: false type: object properties: go_max_procs: type: number logging: additionalProperties: false type: object properties: files: additionalProperties: false type: object properties: interval: type: string keepfiles: type: number rotateeverybytes: type: number level: type: string metrics: additionalProperties: false type: object properties: period: type: string to_files: type: boolean monitoring: additionalProperties: false type: object properties: _runtime_experimental: type: string apm: nullable: true diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number enabled: type: boolean http: additionalProperties: false type: object properties: enabled: type: boolean host: type: string port: type: number logs: type: boolean metrics: type: boolean namespace: type: string pprof: additionalProperties: false type: object properties: enabled: type: boolean required: - enabled traces: type: boolean use_output: type: string required: - enabled - metrics - logs - traces - apm protection: additionalProperties: false type: object properties: enabled: type: boolean signing_key: type: string uninstall_token_hash: type: string required: - enabled - uninstall_token_hash - signing_key required: - monitoring - download - features - internal connectors: additionalProperties: nullable: true type: object exporters: additionalProperties: nullable: true type: object extensions: additionalProperties: nullable: true type: object fleet: anyOf: - additionalProperties: false type: object properties: hosts: items: type: string maxItems: 100 type: array proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object proxy_url: type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: additionalProperties: true type: object properties: id: type: string required: - key ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string renegotiation: type: string verification_mode: type: string required: - hosts - additionalProperties: false type: object properties: kibana: additionalProperties: false type: object properties: hosts: items: type: string maxItems: 100 type: array path: type: string protocol: type: string required: - hosts - protocol required: - kibana id: type: string inputs: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: namespace: type: string required: - namespace id: type: string meta: additionalProperties: true type: object properties: package: additionalProperties: true type: object properties: name: type: string version: type: string required: - name - version name: type: string package_policy_id: type: string processors: items: additionalProperties: true type: object properties: add_fields: additionalProperties: true type: object properties: fields: additionalProperties: anyOf: - type: string - type: number type: object target: type: string required: - target - fields required: - add_fields maxItems: 10000 type: array revision: type: number streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - id - data_stream maxItems: 10000 type: array type: type: string use_output: type: string required: - id - name - revision - type - data_stream - use_output - package_policy_id maxItems: 10000 type: array namespaces: items: type: string maxItems: 100 type: array output_permissions: additionalProperties: additionalProperties: nullable: true type: object type: object outputs: additionalProperties: additionalProperties: true type: object properties: ca_sha256: nullable: true type: string hosts: items: type: string maxItems: 100 type: array proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object proxy_url: type: string type: type: string required: - type type: object processors: additionalProperties: nullable: true type: object receivers: additionalProperties: nullable: true type: object revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10000 type: array service: additionalProperties: false type: object properties: extensions: items: type: string maxItems: 1000 type: array pipelines: additionalProperties: additionalProperties: false type: object properties: exporters: items: type: string maxItems: 1000 type: array processors: items: type: string maxItems: 1000 type: array receivers: items: type: string maxItems: 1000 type: array x-oas-optional: true type: object signed: additionalProperties: false type: object properties: data: type: string signature: type: string required: - data - signature required: - id - outputs - inputs required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 description: Not Found summary: Get a full agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/{agentPolicyId}/outputs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string responses: '200': content: application/json: examples: getAgentPolicyOutputsExample: description: Outputs associated with the agent policy value: item: data_output: id: output-id-1 name: Default output type: elasticsearch monitoring_output: id: output-id-1 name: Default output type: elasticsearch schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: agentPolicyId: type: string data: additionalProperties: false type: object properties: integrations: items: additionalProperties: false type: object properties: id: type: string integrationPolicyName: type: string name: type: string pkgName: type: string maxItems: 1000 type: array output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output monitoring: additionalProperties: false type: object properties: output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output required: - monitoring - data required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent policy was found with the given ID value: error: Not Found message: Agent policy not found statusCode: 404 description: Not Found summary: Get outputs for an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/delete: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDeleteAgentPolicyRequestExample: description: Delete an agent policy by ID value: agentPolicyId: agent-policy-id-1 schema: additionalProperties: false type: object properties: agentPolicyId: description: The ID of the agent policy type: string force: description: bypass validation checks that can prevent agent policy deletion type: boolean required: - agentPolicyId responses: '200': content: application/json: examples: postDeleteAgentPolicyExample: description: The agent policy was successfully deleted value: id: agent-policy-id-1 name: My agent policy schema: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_policies/outputs: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agent_policies/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postListAgentPolicyOutputsRequestExample: description: Get outputs for multiple agent policies value: ids: - agent-policy-id-1 - agent-policy-id-2 schema: additionalProperties: false type: object properties: ids: description: list of package policy ids items: type: string maxItems: 1000 type: array required: - ids responses: '200': content: application/json: examples: postListAgentPolicyOutputsExample: description: Outputs associated with the requested agent policies value: items: - agent_policy_id: agent-policy-id-1 data_output: id: output-id-1 name: Default output type: elasticsearch monitoring_output: id: output-id-1 name: Default output type: elasticsearch schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: agentPolicyId: type: string data: additionalProperties: false type: object properties: integrations: items: additionalProperties: false type: object properties: id: type: string integrationPolicyName: type: string name: type: string pkgName: type: string maxItems: 1000 type: array output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output monitoring: additionalProperties: false type: object properties: output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output required: - monitoring - data maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get outputs for agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a summary of agent statuses for a given agent policy. operationId: get-fleet-agent-status parameters: - description: Filter by agent policy ID in: query name: policyId required: false schema: type: string - description: Filter by one or more agent policy IDs in: query name: policyIds required: false schema: items: type: string maxItems: 1000 type: array - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string responses: '200': content: application/json: examples: getAgentStatusExample: description: Agent status summary for an agent policy value: results: error: 1 offline: 2 online: 5 other: 0 updating: 0 totalInactive: 0 schema: additionalProperties: false type: object properties: results: additionalProperties: false type: object properties: active: type: number all: type: number error: type: number events: type: number inactive: type: number offline: type: number online: type: number orphaned: type: number other: type: number unenrolled: type: number uninstalled: type: number updating: type: number required: - events - online - error - offline - other - updating - inactive - unenrolled - all - active required: - results description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an agent status summary tags: - Elastic Agent status x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agent_status/data: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agent_status/data
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agent-status-data parameters: - description: Agent IDs to check data for, as an array or comma-separated string in: query name: agentsIds required: true schema: items: type: string maxItems: 10000 type: array - description: Filter by integration package name in: query name: pkgName required: false schema: type: string - description: Filter by integration package version in: query name: pkgVersion required: false schema: type: string - description: When true, return a preview of the ingested data in: query name: previewData required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getAgentDataExample: description: Data streams the agent is actively sending data to value: items: - data: logs-nginx.access-default: - id: agent-id-1 name: my-host total: 1 totalMonitoring: 0 schema: additionalProperties: false type: object properties: dataPreview: items: nullable: true maxItems: 10000 type: array items: items: additionalProperties: additionalProperties: false type: object properties: data: type: boolean required: - data type: object maxItems: 10000 type: array required: - items - dataPreview description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get incoming agent data tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agentless_policies: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agentless_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an agentless policy operationId: post-fleet-agentless-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The format of the response package policy. in: query name: format required: false schema: default: simplified enum: - legacy - simplified type: string requestBody: content: application/json: examples: createAgentlessPoliciesRequestExample: description: Example request to create agentless policies value: description: test inputs: ESS Billing-cel: enabled: true streams: ess_billing.billing: enabled: true vars: hide_sensitive: true http_client_timeout: 30s lookbehind: 365 tags: - forwarded - billing ess_billing.credits: enabled: false vars: api_key: organization_id: '1234' name: ess_billing-1 namespace: default package: name: ess_billing version: 1.6.0 createAgentlessPoliciesReuseAWSCloudConnectorExample: description: Example request to create agentless policy reusing an existing AWS cloud connector value: cloud_connector: cloud_connector_id: existing-aws-connector-id target_csp: aws description: CSPM integration for AWS reusing existing cloud connector inputs: cspm-cloudbeat/cis_aws: enabled: true streams: cloud_security_posture.findings: enabled: true vars: aws.account_type: organization-account aws.credentials.type: cloud_connector aws.supports_cloud_connectors: true external_id: id: ABCDEFGHIJKLMNOPQRST isSecretRef: true role_arn: arn:aws:iam::123456789012:role/TestRole vars: cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml cspm-cloudbeat/cis_azure: enabled: false cspm-cloudbeat/cis_gcp: enabled: false name: cspm-aws-reuse-policy namespace: default package: name: cloud_security_posture version: 3.1.1 vars: deployment: aws posture: cspm createAgentlessPoliciesWithAWSCloudConnectorExample: description: Example request to create agentless policy with AWS cloud connector value: cloud_connector: target_csp: aws description: CSPM integration for AWS with cloud connector inputs: cspm-cloudbeat/cis_aws: enabled: true streams: cloud_security_posture.findings: enabled: true vars: aws.account_type: organization-account aws.credentials.type: cloud_connector aws.supports_cloud_connectors: true external_id: id: ABCDEFGHIJKLMNOPQRST isSecretRef: true role_arn: arn:aws:iam::123456789012:role/TestRole vars: cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml cspm-cloudbeat/cis_azure: enabled: false cspm-cloudbeat/cis_gcp: enabled: false name: cspm-aws-policy namespace: default package: name: cloud_security_posture version: 3.1.1 vars: deployment: aws posture: cspm createAgentlessPoliciesWithAzureCloudConnectorExample: description: Example request to create agentless policy with Azure cloud connector value: cloud_connector: target_csp: azure description: CSPM integration for Azure with cloud connector inputs: cspm-cloudbeat/cis_aws: enabled: false cspm-cloudbeat/cis_azure: enabled: true streams: cloud_security_posture.findings: enabled: true vars: azure_credentials_cloud_connector_id: type: text value: existing-azure-credentials-connector-id azure.account_type: organization-account client_id: id: client-secret-id isSecretRef: true tenant_id: id: tenant-secret-id isSecretRef: true cspm-cloudbeat/cis_gcp: enabled: false name: cspm-azure-policy namespace: default package: name: cloud_security_posture version: 3.1.1 vars: deployment: azure posture: cspm schema: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 100 nullable: true type: array cloud_connector: additionalProperties: false type: object properties: cloud_connector_id: description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. type: string enabled: default: false description: Whether cloud connectors are enabled for this policy. type: boolean name: description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. maxLength: 255 minLength: 1 type: string target_csp: description: Target cloud service provider. If not provided, will be auto-detected from inputs. enum: - aws - azure - gcp type: string description: description: Policy description. type: string force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 type: array id: description: Policy unique identifier. type: string inputs: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object name: description: Unique name for the policy. type: string namespace: description: Policy namespace. When not specified, it inherits the agent policy namespace. type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_template: description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object required: - name - package responses: '200': content: application/json: examples: createAgentlessPoliciesResponseExample: description: Example response showing the successful result of communication initialisation over MCP protocol value: item: created_at: '2025-11-06T18:27:43.541Z' created_by: test_user description: test enabled: true id: d52a7812-5736-4fdc-aed8-72152afa1ffa inputs: ESS Billing-cel: enabled: true streams: ess_billing.billing: enabled: true vars: hide_sensitive: true http_client_timeout: 30s lookbehind: 365 tags: - forwarded - billing ess_billing.credits: enabled: false vars: api_key: id: QY1sWpoBbWcMW-edr0Ee isSecretRef: true organization_id: '1234' url: https://billing.elastic-cloud.com name: ess_billing-1 namespace: default package: name: ess_billing title: Elasticsearch Service Billing version: 1.6.0 revision: 1 secret_references: - id: QY1sWpoBbWcMW-edr0Ee supports_agentless: true updated_at: '2025-11-06T18:27:43.541Z' updated_by: test_user version: WzE0OTgsMV0= createAgentlessPoliciesWithAWSCloudConnectorResponseExample: description: Example response for AWS cloud connector integration value: item: cloud_connector_id: aws-connector-67890 created_at: '2025-11-06T18:27:43.541Z' created_by: test_user description: CSPM integration for AWS with cloud connector enabled: true id: aws-policy-12345 inputs: cspm-cloudbeat/cis_aws: enabled: true streams: cloud_security_posture.findings: enabled: true vars: aws.account_type: organization-account aws.credentials.type: cloud_connector external_id: id: secret-external-id-123 isSecretRef: true role_arn: arn:aws:iam::123456789012:role/TestRole vars: cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml cspm-cloudbeat/cis_azure: enabled: false cspm-cloudbeat/cis_gcp: enabled: false name: cspm-aws-policy namespace: default package: name: cloud_security_posture title: Cloud Security Posture Management version: 3.1.1 revision: 1 secret_references: - id: secret-external-id-123 supports_agentless: true supports_cloud_connector: true updated_at: '2025-11-06T18:27:43.541Z' updated_by: test_user vars: deployment: aws posture: cspm version: WzE0OTgsMV0= createAgentlessPoliciesWithAzureCloudConnectorResponseExample: description: Example response for Azure cloud connector integration value: item: cloud_connector_id: azure-connector-67890 created_at: '2025-11-06T18:27:43.541Z' created_by: test_user description: CSPM integration for Azure with cloud connector enabled: true id: azure-policy-12345 inputs: cspm-cloudbeat/cis_aws: enabled: false cspm-cloudbeat/cis_azure: enabled: true streams: cloud_security_posture.findings: enabled: true vars: azure_credentials_cloud_connector_id: type: text value: existing-azure-credentials-connector-id azure.account_type: organization-account client_id: id: client-secret-id-456 isSecretRef: true tenant_id: id: tenant-secret-id-123 isSecretRef: true cspm-cloudbeat/cis_gcp: enabled: false name: cspm-azure-policy namespace: default package: name: cloud_security_posture title: Cloud Security Posture Management version: 3.1.1 revision: 1 secret_references: - id: tenant-secret-id-123 - id: client-secret-id-456 supports_agentless: true supports_cloud_connector: true updated_at: '2025-11-06T18:27:43.541Z' updated_by: test_user vars: deployment: azure posture: cspm version: WzE0OTgsMV0= schema: additionalProperties: false type: object properties: item: additionalProperties: false description: The created agentless package policy. type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Indicates a successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '409': content: application/json: examples: conflictErrorResponseExample: description: Example of a conflict error response value: error: Conflict message: An error message describing what went wrong statusCode: 409 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Conflict summary: Create an agentless policy tags: - Fleet agentless policies x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agentless_policies/{policyId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agentless policy operationId: delete-fleet-agentless-policies-policyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the policy to delete. in: path name: policyId required: true schema: type: string - description: Force delete the policy even if the policy is managed. in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: createAgentlessPoliciesResponseExample: description: Example response showing the successful result of communication initialisation over MCP protocol value: item: id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: additionalProperties: false description: Response for deleting an agentless package policy. type: object properties: id: description: The ID of the deleted agentless package policy. type: string required: - id description: Indicates a successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '409': content: application/json: examples: conflictErrorResponseExample: description: Example of a conflict error response value: error: Conflict message: An error message describing what went wrong statusCode: 409 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Conflict summary: Delete an agentless policy tags: - Fleet agentless policies x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents parameters: - description: Page number in: query name: page required: false schema: type: number - description: Number of results per page in: query name: perPage required: false schema: default: 20 type: number - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: When true, include agentless agents in the results in: query name: showAgentless required: false schema: default: true type: boolean - description: When true, include inactive agents in the results in: query name: showInactive required: false schema: default: false type: boolean - description: When true, include CPU and memory metrics in the response in: query name: withMetrics required: false schema: default: false type: boolean - description: When true, only return agents that are upgradeable in: query name: showUpgradeable required: false schema: default: false type: boolean - description: When true, return a summary of agent statuses in the response in: query name: getStatusSummary required: false schema: default: false type: boolean - description: Field to sort results by in: query name: sortField required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: enum: - asc - desc type: string - description: JSON-encoded array of sort values for `search_after` pagination in: query name: searchAfter required: false schema: type: string - description: When true, opens a new point-in-time for pagination in: query name: openPit required: false schema: type: boolean - description: Point-in-time ID for pagination in: query name: pitId required: false schema: type: string - description: Duration to keep the point-in-time alive, for example, `1m` in: query name: pitKeepAlive required: false schema: type: string responses: '200': content: application/json: examples: getAgentsExample: description: List of agents value: items: - active: true enrolled_at: '2024-01-01T00:00:00.000Z' id: agent-id-1 policy_id: agent-policy-id-1 policy_revision: 1 status: online type: PERMANENT updated_at: '2024-01-01T00:00:00.000Z' page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string type: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string capabilities: items: type: string maxItems: 100 type: array components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: nullable: true type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output - '' type: string required: - id - type - status - message maxItems: 10000 type: array required: - id - type - status - message maxItems: 10000 type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array default_api_key_id: type: string effective_config: nullable: true enrolled_at: type: string health: additionalProperties: nullable: true type: object id: type: string identifying_attributes: additionalProperties: type: string type: object last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting - disconnected type: string last_known_status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string local_metadata: additionalProperties: nullable: true type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string maxItems: 100 type: array non_identifying_attributes: additionalProperties: type: string type: object outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array type: type: string type: object packages: items: type: string maxItems: 10000 type: array policy_id: type: string policy_revision: nullable: true type: number sequence_num: type: number sort: items: nullable: true maxItems: 10 type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string maxItems: 100 type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY - OPAMP type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string maxItems: 3 nullable: true type: array upgrade: additionalProperties: false type: object properties: rollbacks: items: additionalProperties: false type: object properties: valid_until: type: string version: type: string required: - valid_until - version maxItems: 100 type: array upgrade_attempts: items: type: string maxItems: 10000 nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string reason: type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: nullable: true type: object required: - id - packages - type - active - enrolled_at - local_metadata - effective_config maxItems: 10000 type: array nextSearchAfter: type: string page: type: number perPage: type: number pit: type: string statusSummary: additionalProperties: type: number type: object total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agents tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postGetAgentsByActionsRequestExample: description: Retrieve agents associated with specific action IDs value: actionIds: - action-id-1 - action-id-2 schema: additionalProperties: false type: object properties: actionIds: items: type: string maxItems: 1000 type: array required: - actionIds responses: '200': content: application/json: examples: postGetAgentsByActionsExample: description: Agents associated with the given actions value: items: - active: true id: agent-id-1 policy_id: agent-policy-id-1 status: online total: 1 schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agents by action ids tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: deleteAgentExample: description: Agent successfully deleted value: id: agent-id-1 success: true schema: additionalProperties: false type: object properties: action: enum: - deleted type: string required: - action description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent was found with the given ID value: error: Not Found message: Agent agent-id-1 not found statusCode: 404 description: Not Found summary: Delete an agent tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-agentid parameters: - description: The agent ID in: path name: agentId required: true schema: type: string - description: When true, include CPU and memory metrics in the response in: query name: withMetrics required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getAgentExample: description: Agent details value: item: active: true agent_id: agent-id-1 enrolled_at: '2024-01-01T00:00:00.000Z' id: agent-id-1 local_metadata: elastic: agent: version: 8.17.0 host: hostname: my-host os: name: linux policy_id: agent-policy-id-1 policy_revision: 1 status: online type: PERMANENT updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string type: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string capabilities: items: type: string maxItems: 100 type: array components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: nullable: true type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output - '' type: string required: - id - type - status - message maxItems: 10000 type: array required: - id - type - status - message maxItems: 10000 type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array default_api_key_id: type: string effective_config: nullable: true enrolled_at: type: string health: additionalProperties: nullable: true type: object id: type: string identifying_attributes: additionalProperties: type: string type: object last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting - disconnected type: string last_known_status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string local_metadata: additionalProperties: nullable: true type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string maxItems: 100 type: array non_identifying_attributes: additionalProperties: type: string type: object outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array type: type: string type: object packages: items: type: string maxItems: 10000 type: array policy_id: type: string policy_revision: nullable: true type: number sequence_num: type: number sort: items: nullable: true maxItems: 10 type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string maxItems: 100 type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY - OPAMP type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string maxItems: 3 nullable: true type: array upgrade: additionalProperties: false type: object properties: rollbacks: items: additionalProperties: false type: object properties: valid_until: type: string version: type: string required: - valid_until - version maxItems: 100 type: array upgrade_attempts: items: type: string maxItems: 10000 nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string reason: type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: nullable: true type: object required: - id - packages - type - active - enrolled_at - local_metadata - effective_config required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent was found with the given ID value: error: Not Found message: Agent agent-id-1 not found statusCode: 404 description: Not Found summary: Get an agent tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: putAgentRequestExample: description: Update agent tags value: tags: - production - linux schema: additionalProperties: false type: object properties: tags: items: type: string maxItems: 10 type: array user_provided_metadata: additionalProperties: nullable: true type: object responses: '200': content: application/json: examples: putAgentExample: description: Updated agent details value: item: active: true enrolled_at: '2024-01-01T00:00:00.000Z' id: agent-id-1 policy_id: agent-policy-id-1 policy_revision: 1 status: online tags: - production - linux type: PERMANENT updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string type: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string capabilities: items: type: string maxItems: 100 type: array components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: nullable: true type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output - '' type: string required: - id - type - status - message maxItems: 10000 type: array required: - id - type - status - message maxItems: 10000 type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array default_api_key_id: type: string effective_config: nullable: true enrolled_at: type: string health: additionalProperties: nullable: true type: object id: type: string identifying_attributes: additionalProperties: type: string type: object last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting - disconnected type: string last_known_status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string local_metadata: additionalProperties: nullable: true type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string maxItems: 100 type: array non_identifying_attributes: additionalProperties: type: string type: object outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at maxItems: 100 type: array type: type: string type: object packages: items: type: string maxItems: 10000 type: array policy_id: type: string policy_revision: nullable: true type: number sequence_num: type: number sort: items: nullable: true maxItems: 10 type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string maxItems: 100 type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY - OPAMP type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string maxItems: 3 nullable: true type: array upgrade: additionalProperties: false type: object properties: rollbacks: items: additionalProperties: false type: object properties: valid_until: type: string version: type: string required: - valid_until - version maxItems: 100 type: array upgrade_attempts: items: type: string maxItems: 10000 nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string reason: type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: nullable: true type: object required: - id - packages - type - active - enrolled_at - local_metadata - effective_config required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No agent was found with the given ID value: error: Not Found message: Agent agent-id-1 not found statusCode: 404 description: Not Found summary: Update an agent by ID tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/actions: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/actions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postAgentActionRequestExample: description: Create a UNENROLL action for an agent value: action: type: UNENROLL schema: additionalProperties: false type: object properties: action: anyOf: - additionalProperties: false type: object properties: ack_data: nullable: true data: nullable: true type: enum: - UNENROLL - UPGRADE - POLICY_REASSIGN type: string required: - type - data - ack_data - additionalProperties: false type: object properties: data: additionalProperties: false type: object properties: log_level: enum: - debug - info - warning - error nullable: true type: string required: - log_level type: enum: - SETTINGS type: string required: - type - data required: - action responses: '200': content: application/json: examples: postAgentActionExample: description: Created agent action value: item: agents: - agent-id-1 created_at: '2024-01-01T00:00:00.000Z' id: action-id-1 type: UNENROLL schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: ack_data: nullable: true agents: items: type: string maxItems: 10000 type: array created_at: type: string data: nullable: true expiration: type: string id: type: string minimum_execution_duration: type: number namespaces: items: type: string maxItems: 100 type: array rollout_duration_seconds: type: number sent_at: type: string source_uri: type: string start_time: type: string total: type: number type: type: string required: - id - type - data - created_at - ack_data required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an agent action tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/effective_config: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-agentid-effective-config parameters: - description: The agent ID to get effective config of in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: effective_config: {} schema: additionalProperties: false type: object properties: effective_config: nullable: true required: - effective_config description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get an agent's effective config tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/migrate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-migrate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postMigrateAgentRequestExample: description: Migrate a single agent to another cluster value: enrollment_token: enrollment-token-value settings: retry_max: 5 uri: https://fleet-server.example.com:8220 schema: additionalProperties: false type: object properties: enrollment_token: type: string settings: additionalProperties: false type: object properties: ca_sha256: type: string certificate_authorities: type: string elastic_agent_cert: type: string elastic_agent_cert_key: type: string elastic_agent_cert_key_passphrase: type: string headers: additionalProperties: type: string type: object insecure: type: boolean proxy_disabled: type: boolean proxy_headers: additionalProperties: type: string type: object proxy_url: type: string replace_token: type: string staging: type: string tags: items: type: string maxItems: 10 type: array uri: format: uri type: string required: - uri - enrollment_token responses: '200': content: application/json: examples: postMigrateAgentExample: description: Agent migration initiated value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Migrate a single agent tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/privilege_level_change: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-privilege-level-change parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID to change privilege level for in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: changeAgentPrivilegeLevelRequest: value: user_info: groupname: groupname password: password username: username schema: additionalProperties: false nullable: true type: object properties: user_info: additionalProperties: false type: object properties: groupname: type: string password: type: string username: type: string responses: '200': content: application/json: examples: successResponse: value: actionId: actionId schema: anyOf: - additionalProperties: false type: object properties: actionId: type: string required: - actionId - additionalProperties: false type: object properties: message: type: string required: - message description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Change agent privilege level tags: - Elastic Agents x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/reassign: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postReassignAgentRequestExample: description: Reassign an agent to a different policy value: policy_id: agent-policy-id-2 schema: additionalProperties: false type: object properties: policy_id: type: string required: - policy_id responses: '200': content: application/json: examples: postReassignAgentExample: description: Agent successfully reassigned value: {} schema: additionalProperties: false type: object properties: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Reassign an agent tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/request_diagnostics: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postRequestDiagnosticsRequestExample: description: Request a diagnostics bundle from an agent value: additional_metrics: - CPU schema: additionalProperties: false nullable: true type: object properties: additional_metrics: items: enum: - CPU type: string maxItems: 1 type: array responses: '200': content: application/json: examples: postRequestDiagnosticsExample: description: Diagnostics action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: Agent agent-id-1 does not support request diagnostics action. statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Request agent diagnostics tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID to rollback in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: actionId: actionId schema: anyOf: - additionalProperties: false type: object properties: actionId: type: string required: - actionId - additionalProperties: false type: object properties: message: type: string required: - message description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Rollback an agent tags: - Elastic Agent actions x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/unenroll: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postUnenrollAgentRequestExample: description: Unenroll an agent, optionally revoking the enrollment API key value: revoke: false schema: additionalProperties: false nullable: true type: object properties: force: type: boolean revoke: type: boolean responses: '200': content: application/json: examples: postUnenrollAgentExample: description: Agent successfully unenrolled value: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 description: Bad Request summary: Unenroll an agent tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The agent ID in: path name: agentId required: true schema: type: string requestBody: content: application/json: examples: postUpgradeAgentRequestExample: description: Upgrade an agent to a specific version value: version: 8.17.0 schema: additionalProperties: false type: object properties: force: type: boolean skipRateLimitCheck: type: boolean source_uri: type: string version: type: string required: - version responses: '200': content: application/json: examples: postUpgradeAgentExample: description: Agent upgrade initiated value: {} schema: additionalProperties: false type: object properties: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Upgrade an agent tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/{agentId}/uploads: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-agentid-uploads parameters: - description: The agent ID in: path name: agentId required: true schema: type: string responses: '200': content: application/json: examples: getAgentUploadsExample: description: List of files uploaded by the agent value: items: - actionId: action-id-1 createTime: '2024-01-01T00:00:00.000Z' filePath: /tmp/diagnostics-2024-01-01.zip id: file-id-1 name: diagnostics-2024-01-01.zip status: READY schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: actionId: type: string createTime: type: string error: type: string filePath: type: string id: type: string name: type: string status: enum: - READY - AWAITING_UPLOAD - DELETED - EXPIRED - IN_PROGRESS - FAILED type: string required: - id - name - filePath - createTime - status - actionId maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent uploads tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/action_status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/action_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-action-status parameters: - description: Page number in: query name: page required: false schema: default: 0 type: number - description: Number of results per page in: query name: perPage required: false schema: default: 20 type: number - description: Return actions created before this date in: query name: date required: false schema: type: string - description: Return only the latest N actions in: query name: latest required: false schema: type: number - description: Number of error details to include per action in: query name: errorSize required: false schema: default: 5 type: number responses: '200': content: application/json: examples: getActionStatusExample: description: Status of recent agent actions value: items: - actionId: action-id-1 completionTime: '2024-01-01T00:05:00.000Z' creationTime: '2024-01-01T00:00:00.000Z' nbAgentsAck: 2 nbAgentsActioned: 2 nbAgentsFailed: 0 status: COMPLETE type: UPGRADE schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: actionId: type: string cancellationTime: type: string completionTime: type: string creationTime: description: creation time of action type: string expiration: type: string hasRolloutPeriod: type: boolean is_automatic: type: boolean latestErrors: items: additionalProperties: false description: latest errors that happened when the agents executed the action type: object properties: agentId: type: string error: type: string hostname: type: string timestamp: type: string required: - agentId - error - timestamp maxItems: 10 type: array nbAgentsAck: description: number of agents that acknowledged the action type: number nbAgentsActionCreated: description: number of agents included in action from kibana type: number nbAgentsActioned: description: number of agents actioned type: number nbAgentsFailed: description: number of agents that failed to execute the action type: number newPolicyId: description: new policy id (POLICY_REASSIGN action) type: string policyId: description: policy id (POLICY_CHANGE action) type: string revision: description: new policy revision (POLICY_CHANGE action) type: number startTime: description: start time of action (scheduled actions) type: string status: enum: - COMPLETE - EXPIRED - CANCELLED - FAILED - IN_PROGRESS - ROLLOUT_PASSED type: string type: enum: - UPGRADE - UNENROLL - SETTINGS - POLICY_REASSIGN - CANCEL - FORCE_UNENROLL - REQUEST_DIAGNOSTICS - UPDATE_TAGS - POLICY_CHANGE - INPUT_ACTION - MIGRATE - PRIVILEGE_LEVEL_CHANGE - ROLLBACK type: string version: description: agent version number (UPGRADE action) type: string required: - actionId - nbAgentsActionCreated - nbAgentsAck - nbAgentsFailed - type - nbAgentsActioned - status - creationTime maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an agent action status tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/actions/{actionId}/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the action to cancel in: path name: actionId required: true schema: type: string requestBody: content: application/json: examples: postCancelActionRequestExample: description: Cancel an agent action value: {} responses: '200': content: application/json: examples: postCancelActionExample: description: Cancellation action created value: item: agents: - agent-id-1 created_at: '2024-01-01T00:00:00.000Z' id: cancel-action-id-1 type: CANCEL schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: ack_data: nullable: true agents: items: type: string maxItems: 10000 type: array created_at: type: string data: nullable: true expiration: type: string id: type: string minimum_execution_duration: type: number namespaces: items: type: string maxItems: 100 type: array rollout_duration_seconds: type: number sent_at: type: string source_uri: type: string start_time: type: string total: type: number type: type: string required: - id - type - data - created_at - ack_data required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Cancel an agent action tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/available_versions: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/available_versions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-available-versions parameters: [] responses: '200': content: application/json: examples: getAvailableVersionsExample: description: List of available agent versions for upgrade value: items: - 8.17.0 - 8.16.3 - 8.16.2 schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get available agent versions tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_migrate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-migrate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkMigrateAgentsRequestExample: description: Migrate multiple agents to another cluster value: agents: - agent-id-1 - agent-id-2 enrollment_token: enrollment-token-value settings: retry_max: 5 uri: https://fleet-server.example.com:8220 schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number enrollment_token: type: string settings: additionalProperties: false type: object properties: ca_sha256: type: string certificate_authorities: type: string elastic_agent_cert: type: string elastic_agent_cert_key: type: string elastic_agent_cert_key_passphrase: type: string headers: additionalProperties: type: string type: object insecure: type: boolean proxy_disabled: type: boolean proxy_headers: additionalProperties: type: string type: object proxy_url: type: string staging: type: string tags: items: type: string maxItems: 10 type: array uri: format: uri type: string required: - agents - uri - enrollment_token responses: '200': content: application/json: examples: postBulkMigrateAgentsExample: description: Bulk agent migration initiated value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Migrate multiple agents tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_privilege_level_change: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-privilege-level-change parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkChangeAgentPrivilegeLevelRequest: value: agents: agent user_info: groupname: groupname password: password username: username schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number user_info: additionalProperties: false type: object properties: groupname: type: string password: type: string username: type: string required: - agents responses: '200': content: application/json: examples: successResponse: value: actionId: actionId schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Bulk change agent privilege level tags: - Elastic Agents x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_reassign: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_reassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkReassignAgentsRequestExample: description: Reassign multiple agents to a different policy value: agents: - agent-id-1 - agent-id-2 policy_id: agent-policy-id-2 schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number includeInactive: default: false type: boolean policy_id: type: string required: - policy_id - agents responses: '200': content: application/json: examples: postBulkReassignAgentsExample: description: Bulk reassign action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk reassign agents tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_request_diagnostics: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkRequestDiagnosticsRequestExample: description: Request diagnostics bundles from multiple agents value: additional_metrics: - CPU agents: - agent-id-1 - agent-id-2 schema: additionalProperties: false type: object properties: additional_metrics: items: enum: - CPU type: string maxItems: 1 type: array agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number required: - agents responses: '200': content: application/json: examples: postBulkRequestDiagnosticsExample: description: Bulk diagnostics action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk request diagnostics from agents tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkRollbackAgentsRequest: value: agents: - agent-1 - agent-2 batchSize: 100 includeInactive: false schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number includeInactive: default: false type: boolean required: - agents responses: '200': content: application/json: examples: successResponse: value: actionIds: - actionId1 - actionId2 schema: additionalProperties: false type: object properties: actionIds: items: type: string maxItems: 10000 type: array required: - actionIds description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Bulk rollback agents tags: - Elastic Agent actions x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_unenroll: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUnenrollAgentsRequestExample: description: Unenroll multiple agents value: agents: - agent-id-1 - agent-id-2 revoke: false schema: additionalProperties: false type: object properties: agents: anyOf: - items: description: list of agent IDs type: string maxItems: 10000 type: array - description: KQL query string, leave empty to action all agents type: string batchSize: type: number force: description: Unenrolls hosted agents too type: boolean includeInactive: description: When passing agents by KQL query, unenrolls inactive agents too type: boolean revoke: description: Revokes API keys of agents type: boolean required: - agents responses: '200': content: application/json: examples: postBulkUnenrollAgentsExample: description: Bulk unenroll action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk unenroll agents tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_update_agent_tags: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUpdateAgentTagsRequestExample: description: Add and remove tags across multiple agents value: agents: - agent-id-1 - agent-id-2 tagsToAdd: - production tagsToRemove: - staging schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number includeInactive: default: false type: boolean tagsToAdd: items: type: string maxItems: 10 type: array tagsToRemove: items: type: string maxItems: 10 type: array required: - agents responses: '200': content: application/json: examples: postBulkUpdateAgentTagsExample: description: Bulk action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk update agent tags tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/bulk_upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUpgradeAgentsRequestExample: description: Upgrade multiple agents to a specific version value: agents: - agent-id-1 - agent-id-2 rollout_duration_seconds: 3600 version: 8.17.0 schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string maxItems: 10000 type: array - type: string batchSize: type: number force: type: boolean includeInactive: default: false type: boolean rollout_duration_seconds: minimum: 600 type: number skipRateLimitCheck: type: boolean source_uri: type: string start_time: type: string version: type: string required: - agents - version responses: '200': content: application/json: examples: postBulkUpgradeAgentsExample: description: Bulk upgrade action result value: actionId: action-id-1 schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk upgrade agents tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/files/{fileId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/agents/files/{fileId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the uploaded file in: path name: fileId required: true schema: type: string responses: '200': content: application/json: examples: deleteAgentUploadFileExample: description: Uploaded file successfully deleted value: deleted: true id: file-id-1 schema: additionalProperties: false type: object properties: deleted: type: boolean id: type: string required: - id - deleted description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete an uploaded file tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/files/{fileId}/{fileName}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-files-fileid-filename parameters: - description: The ID of the uploaded file in: path name: fileId required: true schema: type: string - description: The name of the uploaded file in: path name: fileName required: true schema: type: string responses: '200': content: application/json: examples: getAgentUploadFileExample: description: The uploaded file content as a stream value: schema: type: object description: Successful response — returns the uploaded file content '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an uploaded file tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/setup: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. operationId: get-fleet-agents-setup parameters: [] responses: '200': content: application/json: examples: agentsSetupNotReadyExample: description: Fleet is not ready — a Fleet Server and API keys are required value: is_action_secrets_storage_enabled: false is_secrets_storage_enabled: false is_space_awareness_enabled: false is_ssl_secrets_storage_enabled: false isReady: false missing_optional_features: - encrypted_saved_object_encryption_key_required missing_requirements: - fleet_server - api_keys agentsSetupReadyExample: description: Fleet is ready to enroll agents — all requirements are met value: is_action_secrets_storage_enabled: true is_secrets_storage_enabled: true is_space_awareness_enabled: false is_ssl_secrets_storage_enabled: false isReady: true missing_optional_features: [] missing_requirements: [] package_verification_key_id: D88DB4CC schema: additionalProperties: false description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. type: object properties: is_action_secrets_storage_enabled: type: boolean is_secrets_storage_enabled: type: boolean is_space_awareness_enabled: type: boolean is_ssl_secrets_storage_enabled: type: boolean isReady: type: boolean missing_optional_features: items: enum: - encrypted_saved_object_encryption_key_required type: string maxItems: 1 type: array missing_requirements: items: enum: - security_required - tls_required - api_keys - fleet_admin_user - fleet_server type: string maxItems: 5 type: array package_verification_key_id: type: string required: - isReady - missing_requirements - missing_optional_features description: Fleet setup status '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent setup info tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: examples: agentsSetupSuccessExample: description: Fleet setup initialized successfully with no non-fatal errors value: isInitialized: true nonFatalErrors: [] schema: additionalProperties: false description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: isInitialized: type: boolean nonFatalErrors: items: additionalProperties: false type: object properties: message: type: string name: type: string required: - name - message maxItems: 10000 type: array required: - isInitialized - nonFatalErrors description: Fleet setup completed '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Initiate Fleet setup tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/agents/tags: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/agents/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. operationId: get-fleet-agents-tags parameters: - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: When true, include tags from inactive agents in: query name: showInactive required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getAgentTagsExample: description: List of tags used across agents value: items: - production - linux - datacenter-1 schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get agent tags tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/check-permissions: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/check-permissions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. operationId: get-fleet-check-permissions parameters: - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges in: query name: fleetServerSetup required: false schema: type: boolean responses: '200': content: application/json: examples: checkPermissionsMissingPrivilegesExample: description: The current user is missing Fleet privileges value: error: MISSING_PRIVILEGES success: false checkPermissionsSuccessExample: description: The current user has all required Fleet permissions value: success: true schema: additionalProperties: false type: object properties: error: enum: - MISSING_SECURITY - MISSING_PRIVILEGES - MISSING_FLEET_SERVER_SETUP_PRIVILEGES type: string success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Check permissions tags: - Fleet internals x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/cloud_connectors: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. operationId: get-fleet-cloud-connectors parameters: - description: The page number for pagination. in: query name: page required: false schema: type: string - description: The number of items per page. in: query name: perPage required: false schema: type: string - description: KQL query to filter cloud connectors. in: query name: kuery required: false schema: type: string responses: '200': content: application/json: examples: getCloudConnectorsExample: description: List of Fleet cloud connectors value: items: - accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-1 name: My AWS connector packagePolicyCount: 2 updated_at: '2024-01-15T10:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: nullable: true type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get cloud connectors tags: - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. operationId: post-fleet-cloud-connectors parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postCloudConnectorRequestExample: description: Create a new AWS cloud connector value: accountType: single-account cloudProvider: aws name: My AWS connector vars: {} schema: additionalProperties: false type: object properties: accountType: description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' enum: - single-account - organization-account type: string cloudProvider: description: 'The cloud provider type: aws, azure, or gcp.' enum: - aws - azure - gcp type: string name: description: The name of the cloud connector. maxLength: 255 minLength: 1 type: string vars: additionalProperties: anyOf: - maxLength: 1000 type: string - type: number - type: boolean - additionalProperties: false type: object properties: frozen: type: boolean type: maxLength: 50 type: string value: anyOf: - maxLength: 1000 type: string - additionalProperties: false type: object properties: id: maxLength: 255 type: string isSecretRef: type: boolean required: - isSecretRef - id required: - type - value type: object required: - name - cloudProvider - vars responses: '200': content: application/json: examples: postCloudConnectorExample: description: The created Fleet cloud connector value: item: accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-2 name: My AWS connector packagePolicyCount: 0 updated_at: '2024-01-15T10:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: nullable: true type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create cloud connector tags: - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/cloud_connectors/{cloudConnectorId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. operationId: delete-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the cloud connector to delete. in: path name: cloudConnectorId required: true schema: type: string - description: If true, forces deletion even if the cloud connector is in use. in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deleteCloudConnectorExample: description: The cloud connector was successfully deleted value: id: cloud-connector-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete cloud connector (supports force deletion) tags: - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. operationId: get-fleet-cloud-connectors-cloudconnectorid parameters: - description: The unique identifier of the cloud connector. in: path name: cloudConnectorId required: true schema: type: string responses: '200': content: application/json: examples: getCloudConnectorExample: description: A Fleet cloud connector value: item: accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-1 name: My AWS connector packagePolicyCount: 2 updated_at: '2024-01-15T10:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: nullable: true type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get cloud connector tags: - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. operationId: put-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The unique identifier of the cloud connector to update. in: path name: cloudConnectorId required: true schema: type: string requestBody: content: application/json: examples: putCloudConnectorRequestExample: description: Update a Fleet cloud connector value: name: Updated AWS connector vars: {} schema: additionalProperties: false type: object properties: accountType: description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' enum: - single-account - organization-account type: string name: description: The name of the cloud connector. maxLength: 255 minLength: 1 type: string vars: additionalProperties: anyOf: - maxLength: 1000 type: string - type: number - type: boolean - additionalProperties: false type: object properties: frozen: type: boolean type: maxLength: 50 type: string value: anyOf: - maxLength: 1000 type: string - additionalProperties: false type: object properties: id: maxLength: 255 type: string isSecretRef: type: boolean required: - isSecretRef - id required: - type - value type: object responses: '200': content: application/json: examples: putCloudConnectorExample: description: The updated Fleet cloud connector value: item: accountType: single-account cloudProvider: aws created_at: '2024-01-15T10:00:00.000Z' id: cloud-connector-id-1 name: Updated AWS connector packagePolicyCount: 2 updated_at: '2024-01-15T11:00:00.000Z' vars: {} schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: accountType: type: string cloudProvider: type: string created_at: type: string id: type: string name: type: string namespace: type: string packagePolicyCount: type: number updated_at: type: string vars: additionalProperties: nullable: true type: object verification_failed_at: type: string verification_started_at: type: string verification_status: type: string required: - id - name - cloudProvider - vars - packagePolicyCount - created_at - updated_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update cloud connector tags: - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/cloud_connectors/{cloudConnectorId}/usage: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. operationId: get-fleet-cloud-connectors-cloudconnectorid-usage parameters: - description: The unique identifier of the cloud connector. in: path name: cloudConnectorId required: true schema: type: string - description: The page number for pagination. in: query name: page required: false schema: minimum: 1 type: number - description: The number of items per page. in: query name: perPage required: false schema: minimum: 1 type: number responses: '200': content: application/json: examples: getCloudConnectorUsageResponseExample: description: Example response showing package policies using the cloud connector value: items: - created_at: '2025-01-16T09:00:00.000Z' id: package-policy-1 name: CSPM AWS Policy package: name: cloud_security_posture title: Cloud Security Posture Management version: 3.1.1 policy_ids: - policy-id-123 - policy-id-456 updated_at: '2025-01-16T09:00:00.000Z' page: 1 perPage: 20 total: 2 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: created_at: type: string id: type: string name: type: string package: additionalProperties: false type: object properties: name: type: string title: type: string version: type: string required: - name - title - version policy_ids: items: type: string maxItems: 10000 type: array updated_at: type: string required: - id - name - policy_ids - created_at - updated_at maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: 'OK: A successful request.' '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: Cloud connector not found statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get cloud connector usage (package policies using the connector) tags: - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/data_streams: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. operationId: get-fleet-data-streams parameters: [] responses: '200': content: application/json: examples: getDataStreamsExample: description: List of Fleet-managed data streams value: data_streams: - dashboards: - id: nginx-overview title: Nginx Overview dataset: nginx.access index: logs-nginx.access-default last_activity_ms: 1700000000000 namespace: default package: nginx package_version: 1.20.0 serviceDetails: null size_in_bytes: 1048576 size_in_bytes_formatted: 1mb type: logs - dashboards: [] dataset: system.cpu index: metrics-system.cpu-default last_activity_ms: 1699999000000 namespace: default package: system package_version: 1.38.0 serviceDetails: null size_in_bytes: 524288 size_in_bytes_formatted: 512kb type: metrics schema: additionalProperties: false type: object properties: data_streams: items: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string title: type: string required: - id - title maxItems: 10000 type: array dataset: type: string index: type: string last_activity_ms: type: number namespace: type: string package: type: string package_version: type: string serviceDetails: additionalProperties: false nullable: true type: object properties: environment: type: string serviceName: type: string required: - environment - serviceName size_in_bytes: type: number size_in_bytes_formatted: anyOf: - type: number - type: string type: type: string required: - index - dataset - namespace - type - package - package_version - last_activity_ms - size_in_bytes - size_in_bytes_formatted - dashboards - serviceDetails maxItems: 10000 type: array required: - data_streams description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get data streams tags: - Data streams x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/enrollment_api_keys: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. operationId: get-fleet-enrollment-api-keys parameters: - description: Page number in: query name: page required: false schema: default: 1 type: number - description: Number of results per page in: query name: perPage required: false schema: default: 20 type: number - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string responses: '200': content: application/json: examples: getEnrollmentApiKeysExample: description: List of enrollment API keys value: items: - active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: Default policy enrollment key policy_id: policy-id-1 list: - active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: Default policy enrollment key policy_id: policy-id-1 page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at maxItems: 10000 type: array list: deprecated: true items: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage - list description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get enrollment API keys tags: - Fleet enrollment API keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postEnrollmentApiKeyRequestExample: description: Create an enrollment API key for an agent policy value: expiration: '2025-01-01T00:00:00.000Z' name: My enrollment key policy_id: policy-id-1 schema: additionalProperties: false type: object properties: expiration: type: string name: type: string policy_id: type: string required: - policy_id responses: '200': content: application/json: examples: postEnrollmentApiKeyExample: description: The created enrollment API key value: action: created item: active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: My enrollment key policy_id: policy-id-1 schema: additionalProperties: false type: object properties: action: enum: - created type: string item: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at required: - item - action description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create an enrollment API key tags: - Fleet enrollment API keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/enrollment_api_keys/_bulk_delete: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-enrollment-api-keys-bulk-delete parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkDeleteByIdsExample: description: Bulk delete enrollment API keys by IDs value: forceDelete: true tokenIds: - token-id-1 - token-id-2 bulkDeleteByKueryExample: description: Bulk delete enrollment API keys by KQL query value: forceDelete: false kuery: policy_id:"policy-id-1" schema: additionalProperties: false type: object properties: forceDelete: default: false description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. type: boolean includeHidden: default: false description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. type: boolean kuery: description: KQL query to select enrollment tokens to delete. type: string tokenIds: description: List of enrollment token IDs to delete. items: type: string maxItems: 10000 type: array responses: '200': content: application/json: examples: bulkDeleteEnrollmentApiKeysExample: description: The enrollment API keys were successfully processed value: action: deleted count: 2 errorCount: 0 successCount: 2 schema: additionalProperties: false type: object properties: action: type: string count: type: number errorCount: type: number successCount: type: number required: - action - count - successCount - errorCount description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: Either tokenIds or kuery must be provided statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk revoke or delete enrollment API keys tags: - Fleet enrollment API keys x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/enrollment_api_keys/{keyId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the enrollment API key in: path name: keyId required: true schema: type: string - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. in: query name: forceDelete required: false schema: default: false type: boolean - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. in: query name: includeHidden required: false schema: default: false type: boolean responses: '200': content: application/json: examples: deleteEnrollmentApiKeyExample: description: The enrollment API key was successfully revoked value: action: deleted schema: additionalProperties: false type: object properties: action: enum: - deleted type: string required: - action description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No enrollment API key was found with the given ID value: error: Not Found message: EnrollmentAPIKey key-id-1 not found statusCode: 404 description: Not Found summary: Revoke or delete an enrollment API key tags: - Fleet enrollment API keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. operationId: get-fleet-enrollment-api-keys-keyid parameters: - description: The ID of the enrollment API key in: path name: keyId required: true schema: type: string responses: '200': content: application/json: examples: getEnrollmentApiKeyExample: description: An enrollment API key value: item: active: true api_key: api-key-value-1 api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' id: key-id-1 name: Default policy enrollment key policy_id: policy-id-1 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No enrollment API key was found with the given ID value: error: Not Found message: EnrollmentAPIKey key-id-1 not found statusCode: 404 description: Not Found summary: Get an enrollment API key tags: - Fleet enrollment API keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/bulk_assets: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/bulk_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkGetAssetsRequestExample: description: Retrieve multiple assets by their IDs and types value: assetIds: - id: dashboard-id-1 type: dashboard - id: index-pattern-id-1 type: index_pattern schema: additionalProperties: false type: object properties: assetIds: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - id - type maxItems: 10000 type: array required: - assetIds responses: '200': content: application/json: examples: postBulkGetAssetsExample: description: Requested assets value: items: - appLink: /app/dashboards#/view/dashboard-id-1 attributes: title: My Dashboard id: dashboard-id-1 type: dashboard schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: appLink: type: string attributes: additionalProperties: false type: object properties: description: type: string service: type: string title: type: string id: type: string type: type: string updatedAt: type: string required: - id - type - attributes maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk get assets tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/categories: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/categories
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-categories parameters: - description: When true, include prerelease packages in the results in: query name: prerelease required: false schema: type: boolean - description: When true, include categories that only contain policy templates in: query name: include_policy_templates required: false schema: type: boolean responses: '200': content: application/json: examples: getCategoriesExample: description: List of integration categories value: items: - count: 42 id: security title: Security - count: 38 id: observability title: Observability schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: count: type: number id: type: string parent_id: type: string parent_title: type: string title: type: string required: - id - title - count maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get package categories tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/custom_integrations: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/custom_integrations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postCreateCustomIntegrationRequestExample: description: Create a new custom integration value: datasets: - name: my_custom_logs.access type: logs integrationName: my_custom_logs schema: additionalProperties: false type: object properties: datasets: items: additionalProperties: false type: object properties: name: type: string type: enum: - logs - metrics - traces - synthetics - profiling type: string required: - name - type maxItems: 10 type: array force: type: boolean integrationName: type: string required: - integrationName - datasets responses: '200': content: application/json: examples: postCreateCustomIntegrationExample: description: Custom integration successfully created value: _meta: install_source: custom items: - id: my_custom_logs-logs-my_custom_logs.access type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a custom integration tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/custom_integrations/{pkgName}: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. operationId: put-fleet-epm-custom-integrations-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string requestBody: content: application/json: examples: putUpdateCustomIntegrationRequestExample: description: Update a custom integration value: datasets: - name: my_custom_logs.access type: logs integrationName: my_custom_logs schema: additionalProperties: false type: object properties: categories: items: type: string maxItems: 10 type: array readMeData: type: string required: - readMeData responses: '200': content: application/json: examples: putUpdateCustomIntegrationExample: description: Custom integration successfully updated value: {} description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update a custom integration tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/data_streams: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-data-streams parameters: - description: Filter by data stream type in: query name: type required: false schema: enum: - logs - metrics - traces - synthetics - profiling type: string - description: Filter data streams by dataset name in: query name: datasetQuery required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: default: asc enum: - asc - desc type: string - description: When true, only return data streams that are not associated with a package in: query name: uncategorisedOnly required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getDataStreamsExample: description: List of data streams from installed packages value: data_streams: - ilm_policy: logs-default index_template: logs-system.syslog name: logs-system.syslog-default package: system package_version: 1.55.0 title: System syslog logs schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: name: type: string required: - name maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get data streams tags: - Data streams x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages parameters: - description: Filter packages by category in: query name: category required: false schema: type: string - description: When true, include prerelease packages in the results in: query name: prerelease required: false schema: type: boolean - description: When true, exclude the install status from the response in: query name: excludeInstallStatus required: false schema: type: boolean - description: When true, include the number of package policies per package in: query name: withPackagePoliciesCount required: false schema: type: boolean responses: '200': content: application/json: examples: getPackagesExample: description: List of available integration packages value: items: - categories: - cloud description: Collect logs and metrics from Amazon Web Services id: aws name: aws status: not_installed title: AWS version: 2.10.0 searchExcluded: 0 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: true type: object properties: categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array id: type: string installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status integration: type: string internal: type: boolean latestVersion: type: string name: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array version: type: string required: - name - version - title - id maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, ignore mapping update errors during installation in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - description: When true, skip data stream rollover after installation in: query name: skipDataStreamRollover required: false schema: default: false type: boolean requestBody: content: application/gzip: examples: postInstallByUploadRequestExample: description: Upload a .zip or .tar.gz package archive (max 100MB) value: application/gzip; application/zip: examples: postInstallByUploadRequestExample: description: Upload a .zip or .tar.gz package archive (max 100MB) value: schema: format: binary type: string responses: '200': content: application/gzip; application/zip: examples: postInstallByUploadExample: description: Package successfully installed from upload value: _meta: install_source: upload items: - id: my-custom-package-logs-default type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta application/json: examples: postInstallByUploadExample: description: Package successfully installed from upload value: _meta: install_source: upload items: - id: my-custom-package-logs-default type: index_template description: Successful response '400': content: application/gzip; application/zip: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 description: Bad Request summary: Install a package by upload tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean requestBody: content: application/json: examples: postBulkInstallPackagesRequestExample: description: Install multiple packages from the registry value: packages: - system - aws schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: anyOf: - type: string - additionalProperties: false type: object properties: name: type: string prerelease: type: boolean version: type: string required: - name - version maxItems: 1000 minItems: 1 type: array required: - packages responses: '200': content: application/json: examples: postBulkInstallPackagesExample: description: Bulk install results value: items: - name: system result: assets: [] status: installed - name: aws result: assets: [] status: installed schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: name: type: string result: additionalProperties: false type: object properties: assets: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array error: nullable: true installSource: type: string installType: type: string status: enum: - installed - already_installed type: string required: - error - installType version: type: string required: - name - version - result - additionalProperties: false type: object properties: error: anyOf: - type: string - nullable: true name: type: string statusCode: type: number required: - name - statusCode maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk install packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk_namespace_customization: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk-namespace-customization parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkNamespaceCustomizationRequest: value: disable: - dev enable: - production - staging packages: - system - nginx schema: additionalProperties: false type: object properties: disable: description: Namespaces to disable namespace-level customization for on each package. items: type: string maxItems: 100 type: array enable: description: Namespaces to enable namespace-level customization for on each package. items: type: string maxItems: 100 type: array packages: description: Package names to apply the customization changes to. items: type: string maxItems: 1000 minItems: 1 type: array required: - packages responses: '200': content: application/json: examples: successResponse: value: items: - name: system namespace_customization_enabled_for: - production - staging success: true - error: Package nginx is not installed name: nginx success: false schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: error: type: string name: type: string namespace_customization_enabled_for: description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' items: type: string maxItems: 100 type: array success: type: boolean required: - name - success maxItems: 1000 type: array required: - items description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: error: Bad Request message: 'Namespaces must not appear in both enable and disable: production' statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Bulk enable/disable namespace-level customization for packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk_rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkRollbackRequest: value: packages: - name: system schema: additionalProperties: false type: object properties: packages: items: additionalProperties: false type: object properties: name: description: Package name to rollback type: string required: - name maxItems: 1000 minItems: 1 type: array required: - packages responses: '200': content: application/json: examples: successResponse: value: taskId: taskId schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Bulk rollback packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk_rollback/{taskId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: get-fleet-epm-packages-bulk-rollback-taskid parameters: - description: Task ID of the bulk operation in: path name: taskId required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: status: success schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success maxItems: 10000 type: array status: type: string required: - status description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get Bulk rollback packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk_uninstall: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk-uninstall parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUninstallPackagesRequestExample: description: Uninstall multiple packages value: packages: - name: aws - name: gcp schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: additionalProperties: false type: object properties: name: type: string version: type: string required: - name - version maxItems: 1000 minItems: 1 type: array required: - packages responses: '200': content: application/json: examples: postBulkUninstallPackagesExample: description: Bulk uninstall task initiated value: taskId: task-id-1 schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk uninstall packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk_uninstall/{taskId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - description: Task ID of the bulk operation in: path name: taskId required: true schema: type: string responses: '200': content: application/json: examples: getBulkOperationDetailsExample: description: Details of the bulk operation task value: packages: - name: system result: installed - name: elastic_agent result: installed status: success schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success maxItems: 10000 type: array status: type: string required: - status description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get Bulk uninstall packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk_upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postBulkUpgradePackagesRequestExample: description: Upgrade multiple packages to their latest versions value: packages: - name: system - name: elastic_agent schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: additionalProperties: false type: object properties: name: type: string version: type: string required: - name maxItems: 1000 minItems: 1 type: array prerelease: type: boolean upgrade_package_policies: default: false type: boolean required: - packages responses: '200': content: application/json: examples: postBulkUpgradePackagesExample: description: Bulk upgrade task initiated value: taskId: task-id-1 schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk upgrade packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/_bulk_upgrade/{taskId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - description: Task ID of the bulk operation in: path name: taskId required: true schema: type: string responses: '200': content: application/json: examples: getBulkOperationDetailsExample: description: Details of the bulk operation task value: packages: - name: system result: installed - name: elastic_agent result: installed status: success schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success maxItems: 10000 type: array status: type: string required: - status description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get Bulk upgrade packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: When true, delete the package even if it has active package policies in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deletePackageExample: description: Package successfully deleted value: items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get information about a package by name, returning the latest installed or available version. operationId: get-fleet-epm-packages-pkgname parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: When true, returns the package even if the signature cannot be verified in: query name: ignoreUnverified required: false schema: type: boolean - description: When true, include prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, return the full package info including assets in: query name: full required: false schema: type: boolean - description: When true, include package metadata such as whether it has package policies in: query name: withMetadata required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getPackageInfoExample: description: Package details and installation status value: item: assets: kibana: dashboard: [] index_pattern: [] categories: - cloud description: Collect logs and metrics from Amazon Web Services name: aws status: installed title: AWS version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: nullable: true type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: nullable: true type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets metadata: additionalProperties: false type: object properties: has_policies: type: boolean required: - has_policies required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, ignore mapping update errors during installation in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - description: When true, skip data stream rollover after installation in: query name: skipDataStreamRollover required: false schema: default: false type: boolean - description: Skip dependency validation when installing a package with dependencies in: query name: skipDependencyCheck required: false schema: default: false type: boolean requestBody: content: application/json: examples: postInstallPackageRequestExample: description: Install a package, optionally ignoring constraints value: ignore_constraints: false schema: additionalProperties: false nullable: true type: object properties: force: default: false type: boolean ignore_constraints: default: false type: boolean responses: '200': content: application/json: examples: postInstallPackageExample: description: Package successfully installed value: _meta: install_source: registry items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install a package from the registry tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: put-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string requestBody: content: application/json: examples: putUpdatePackageNamespaceCustomizationExample: description: Enable namespace-level customization for the `production` and `staging` namespaces value: namespace_customization_enabled_for: - production - staging putUpdatePackageRequestExample: description: Update keep_policies_up_to_date setting for a package value: keepPoliciesUpToDate: true schema: additionalProperties: false type: object properties: keepPoliciesUpToDate: type: boolean namespace_customization_enabled_for: description: Namespaces for which namespace-level customization is enabled on this package. items: type: string maxItems: 100 type: array responses: '200': content: application/json: examples: putUpdatePackageExample: description: Updated package settings value: item: keepPoliciesUpToDate: true name: aws version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: nullable: true type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: nullable: true type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update package settings tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, delete the package even if it has active package policies in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deletePackageExample: description: Package successfully deleted value: items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get information about a specific version of a package. operationId: get-fleet-epm-packages-pkgname-pkgversion parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, returns the package even if the signature cannot be verified in: query name: ignoreUnverified required: false schema: type: boolean - description: When true, include prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, return the full package info including assets in: query name: full required: false schema: type: boolean - description: When true, include package metadata such as whether it has package policies in: query name: withMetadata required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getPackageInfoExample: description: Package details and installation status value: item: assets: kibana: dashboard: [] index_pattern: [] categories: - cloud description: Collect logs and metrics from Amazon Web Services name: aws status: installed title: AWS version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: nullable: true type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: nullable: true type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets metadata: additionalProperties: false type: object properties: has_policies: type: boolean required: - has_policies required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, ignore mapping update errors during installation in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - description: When true, skip data stream rollover after installation in: query name: skipDataStreamRollover required: false schema: default: false type: boolean - description: Skip dependency validation when installing a package with dependencies in: query name: skipDependencyCheck required: false schema: default: false type: boolean requestBody: content: application/json: examples: postInstallPackageRequestExample: description: Install a package, optionally ignoring constraints value: ignore_constraints: false schema: additionalProperties: false nullable: true type: object properties: force: default: false type: boolean ignore_constraints: default: false type: boolean responses: '200': content: application/json: examples: postInstallPackageExample: description: Package successfully installed value: _meta: install_source: registry items: - id: aws-logs-aws.cloudwatch_logs-default type: index_template schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array required: - items - _meta description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install a package from the registry tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string requestBody: content: application/json: examples: putUpdatePackageNamespaceCustomizationExample: description: Enable namespace-level customization for the `production` and `staging` namespaces value: namespace_customization_enabled_for: - production - staging putUpdatePackageRequestExample: description: Update keep_policies_up_to_date setting for a package value: keepPoliciesUpToDate: true schema: additionalProperties: false type: object properties: keepPoliciesUpToDate: type: boolean namespace_customization_enabled_for: description: Namespaces for which namespace-level customization is enabled on this package. items: type: string maxItems: 100 type: array responses: '200': content: application/json: examples: putUpdatePackageExample: description: Updated package settings value: item: keepPoliciesUpToDate: true name: aws version: 2.10.0 schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string maxItems: 1000 type: array asset_types: items: type: string maxItems: 100 type: array text: type: string required: - text maxItems: 1000 type: array assets: additionalProperties: nullable: true type: object categories: items: type: string maxItems: 100 type: array conditions: additionalProperties: true type: object properties: deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description elastic: additionalProperties: true type: object properties: capabilities: items: type: string maxItems: 10 type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array deprecated: additionalProperties: true type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description description: type: string discovery: additionalProperties: true type: object properties: datasets: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array fields: items: additionalProperties: true type: object properties: name: type: string required: - name maxItems: 100 type: array download: type: string elasticsearch: additionalProperties: nullable: true type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 100 type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model - knowledge_base - esql_view type: string version: type: string required: - id - type maxItems: 10000 type: array installed_kibana: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type maxItems: 10000 type: array installed_kibana_space_id: type: string is_rollback_ttl_expired: type: boolean latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error maxItems: 10 type: array name: type: string namespaces: items: type: string maxItems: 100 type: array previous_version: nullable: true type: string rolled_back: type: boolean type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string var_groups: items: additionalProperties: true type: object properties: description: type: string name: type: string options: items: additionalProperties: true type: object properties: description: type: string hide_in_deployment_modes: items: enum: - default - agentless type: string maxItems: 2 type: array name: type: string title: type: string vars: items: type: string maxItems: 100 type: array required: - name - title - vars maxItems: 100 type: array selector_title: type: string title: type: string required: - name - title - selector_title - options maxItems: 100 type: array vars: items: additionalProperties: nullable: true type: object maxItems: 1000 type: array version: type: string required: - name - version - title - assets required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Update package settings tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: File path within the package in: path name: filePath required: true schema: type: string responses: '200': content: application/json: examples: getPackageFileExample: description: The content of the requested package file value: schema: {} description: Successful response — returns the file content '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package file tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: The ID of the package policy in: query name: packagePolicyId required: true schema: type: string responses: '200': content: application/json: examples: deletePackageDatastreamAssetsExample: description: Package datastream assets successfully deleted value: items: - id: logs-my_package.access-default type: index_template schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete assets for an input package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string responses: '200': content: application/json: examples: dependenciesResponse: value: items: - name: aws title: AWS version: ^2.0.0 - name: system title: System version: ^1.0.0 noDependenciesResponse: value: items: [] schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: name: type: string title: type: string version: type: string required: - name - version - title maxItems: 1000 type: array required: - items description: 'OK: A successful request.' '400': content: application/json: examples: packageNotFoundResponse: value: message: '[my-package-1.0.0] package not found in registry' schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Get package dependencies tags: - Elastic Package Manager (EPM) x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string responses: '200': content: application/json: examples: deleteKibanaAssetsExample: description: Kibana assets successfully deleted value: items: - id: dashboard-id-1 type: dashboard schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string requestBody: content: application/json: examples: postInstallKibanaAssetsRequestExample: description: Install Kibana assets for a specific package version value: {} schema: additionalProperties: false nullable: true type: object properties: force: type: boolean space_ids: description: When provided install assets in the specified spaces instead of the current space. items: type: string maxItems: 100 minItems: 1 type: array responses: '200': content: application/json: examples: postInstallKibanaAssetsExample: description: Kibana assets successfully installed value: items: - id: dashboard-id-1 type: dashboard schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string requestBody: content: application/json: examples: postInstallRuleAssetsRequestExample: description: Install alert rule assets for a specific package version value: {} schema: additionalProperties: false nullable: true type: object properties: force: type: boolean responses: '200': content: application/json: examples: postInstallRuleAssetsExample: description: Rule assets successfully installed value: items: - id: rule-asset-id-1 type: security_rule schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Install Kibana alert rule for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: When true, allow prerelease versions in: query name: prerelease required: false schema: type: boolean requestBody: content: application/json: examples: postReauthorizeTransformsRequestExample: description: Reauthorize transforms for a package value: transforms: - destinations: - index: logs-transform-dest transformId: logs-transform-1 schema: additionalProperties: false type: object properties: transforms: items: additionalProperties: false type: object properties: transformId: type: string required: - transformId maxItems: 1000 type: array required: - transforms responses: '200': content: application/json: examples: postReauthorizeTransformsExample: description: Transforms successfully reauthorized value: - success: true transformId: logs-transform-1 schema: items: additionalProperties: false type: object properties: error: nullable: true success: type: boolean transformId: type: string required: - transformId - success - error maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Authorize transforms tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/review_upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name to review upgrade for in: path name: pkgName required: true schema: type: string requestBody: content: application/json: examples: acceptUpgrade: value: action: accept target_version: 2.0.0 schema: additionalProperties: false type: object properties: action: enum: - accept - decline - pending type: string target_version: type: string required: - action - target_version responses: '200': content: application/json: examples: successResponse: value: success: true schema: additionalProperties: false type: object properties: success: type: boolean required: - success description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Review a pending policy upgrade for a package with deprecations tags: - Elastic Package Manager (EPM) x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/rollback: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. operationId: post-fleet-epm-packages-pkgname-rollback parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Package name to roll back in: path name: pkgName required: true schema: type: string responses: '200': content: application/json: examples: successResponse: value: success: true version: 1.0.0 schema: additionalProperties: false type: object properties: success: type: boolean version: type: string required: - version - success description: 'OK: A successful request.' '400': content: application/json: examples: badRequestResponse: value: message: Bad Request schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: A bad request. summary: Rollback a package to previous version tags: - Elastic Package Manager (EPM) x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/{pkgName}/stats: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-pkgname-stats parameters: - description: Package name in: path name: pkgName required: true schema: type: string responses: '200': content: application/json: examples: getPackageStatsExample: description: Usage stats for a specific package value: response: agent_policy_count: 3 schema: additionalProperties: false type: object properties: response: additionalProperties: false type: object properties: agent_policy_count: type: number package_policy_count: type: number required: - agent_policy_count - package_policy_count required: - response description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get package stats tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/installed: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/installed
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-installed parameters: - description: Filter by data stream type in: query name: dataStreamType required: false schema: enum: - logs - metrics - traces - synthetics - profiling type: string - description: When true, only return packages with active data streams in: query name: showOnlyActiveDataStreams required: false schema: type: boolean - description: Filter packages by name in: query name: nameQuery required: false schema: type: string - description: Sort values from the previous page for `search_after` pagination in: query name: searchAfter required: false schema: items: anyOf: - type: string - type: number maxItems: 10 type: array - description: Number of results per page in: query name: perPage required: false schema: default: 15 type: number - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: default: asc enum: - asc - desc type: string responses: '200': content: application/json: examples: getInstalledPackagesExample: description: List of installed integration packages value: items: - name: system status: installed title: System version: 1.55.0 - name: elastic_agent status: installed title: Elastic Agent version: 1.15.0 searchExcluded: 0 total: 2 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: dataStreams: items: additionalProperties: false type: object properties: name: type: string title: type: string required: - name - title maxItems: 10000 type: array description: type: string icons: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src maxItems: 100 type: array name: type: string status: type: string title: type: string version: type: string required: - name - version - status - dataStreams maxItems: 10000 type: array searchAfter: items: anyOf: - type: string - type: number - type: boolean - nullable: true nullable: true maxItems: 2 type: array total: type: number required: - items - total description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get installed packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/packages/limited: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/packages/limited
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-packages-limited parameters: [] responses: '200': content: application/json: examples: getLimitedPackagesExample: description: List of packages that cannot be uninstalled value: items: - elastic_agent - fleet_server schema: additionalProperties: false type: object properties: items: items: type: string maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a limited package list tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - description: Package name in: path name: pkgName required: true schema: type: string - description: Package version in: path name: pkgVersion required: true schema: type: string - description: 'Output format for the inputs template: json, yml, or yaml' in: query name: format required: false schema: default: json enum: - json - yml - yaml type: string - description: When true, allow prerelease versions in: query name: prerelease required: false schema: type: boolean - description: When true, return inputs even if the package signature cannot be verified in: query name: ignoreUnverified required: false schema: type: boolean responses: '200': content: application/json: examples: getInputsTemplateExample: description: Inputs template for a package value: inputs: - description: Collect logs from log files title: Collect logs from files type: logfile vars: - name: paths required: true title: Paths type: text schema: anyOf: - type: string - additionalProperties: false type: object properties: connectors: additionalProperties: nullable: true type: object exporters: additionalProperties: nullable: true type: object extensions: additionalProperties: nullable: true type: object inputs: items: additionalProperties: false type: object properties: id: type: string streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - id - data_stream maxItems: 10000 type: array type: type: string required: - id - type maxItems: 10000 type: array processors: additionalProperties: nullable: true type: object receivers: additionalProperties: nullable: true type: object service: additionalProperties: false type: object properties: extensions: items: type: string maxItems: 1000 type: array pipelines: additionalProperties: additionalProperties: false type: object properties: exporters: items: type: string maxItems: 1000 type: array processors: items: type: string maxItems: 1000 type: array receivers: items: type: string maxItems: 1000 type: array x-oas-optional: true type: object required: - inputs description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get an inputs template tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/epm/verification_key_id: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/epm/verification_key_id
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. operationId: get-fleet-epm-verification-key-id parameters: [] responses: '200': content: application/json: examples: getVerificationKeyIdExample: description: The GPG key ID used to verify package signatures value: id: D27D666CD88E42B4 schema: additionalProperties: false type: object properties: id: nullable: true type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a package signature verification key ID tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/fleet_server_hosts: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. operationId: get-fleet-fleet-server-hosts parameters: [] responses: '200': content: application/json: examples: getFleetServerHostsExample: description: List of Fleet Server hosts value: items: - host_urls: - https://fleet-server.example.com:8220 id: fleet-server-host-id-1 is_default: true is_preconfigured: false name: Default Fleet Server page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get Fleet Server hosts tags: - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postFleetServerHostRequestExample: description: Create a new Fleet Server host value: host_urls: - https://fleet-server.example.com:8220 is_default: false name: My Fleet Server schema: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls responses: '200': content: application/json: examples: postFleetServerHostExample: description: The created Fleet Server host value: item: host_urls: - https://fleet-server.example.com:8220 id: fleet-server-host-id-2 is_default: false is_preconfigured: false name: My Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/fleet_server_hosts/{itemId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the Fleet Server host in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: deleteFleetServerHostExample: description: The Fleet Server host was successfully deleted value: id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: Fleet server fleet-server-host-id-1 not found statusCode: 404 description: Not Found summary: Delete a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-fleet-server-hosts-itemid parameters: - description: The ID of the Fleet Server host in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: getFleetServerHostExample: description: A Fleet Server host value: item: host_urls: - https://fleet-server.example.com:8220 id: fleet-server-host-id-1 is_default: true is_preconfigured: false name: Default Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: Fleet server fleet-server-host-id-1 not found statusCode: 404 description: Not Found summary: Get a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the Fleet Server host in: path name: itemId required: true schema: type: string requestBody: content: application/json: examples: putFleetServerHostRequestExample: description: Update a Fleet Server host value: host_urls: - https://updated-fleet-server.example.com:8220 is_default: false name: Updated Fleet Server schema: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array is_default: type: boolean is_internal: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - proxy_id responses: '200': content: application/json: examples: putFleetServerHostExample: description: The updated Fleet Server host value: item: host_urls: - https://updated-fleet-server.example.com:8220 id: fleet-server-host-id-1 is_default: false is_preconfigured: false name: Updated Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: agent_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: agent_certificate: type: string agent_certificate_authorities: items: type: string maxItems: 10 type: array agent_key: type: string certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string maxItems: 10 type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: Fleet server fleet-server-host-id-1 not found statusCode: 404 description: Not Found summary: Update a Fleet Server host tags: - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/health_check: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/health_check
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postHealthCheckRequestExample: description: Check the health of a Fleet Server instance by its host ID value: id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id responses: '200': content: application/json: examples: postHealthCheckHealthyExample: description: Fleet Server is online and healthy value: name: fleet-server-1 status: ONLINE postHealthCheckUnreachableExample: description: Fleet Server host is not reachable (request timed out or aborted) value: host_id: fleet-server-host-id-1 status: OFFLINE schema: additionalProperties: false type: object properties: host_id: type: string name: type: string status: type: string required: - status description: Successful health check response '400': content: application/json: examples: badRequestExample: description: The host ID exists but has no associated host URLs configured value: error: Bad Request message: The requested host id fleet-server-host-id-1 does not have associated host urls. statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No Fleet Server host was found with the given ID value: error: Not Found message: The requested host id fleet-server-host-id-1 does not exist. statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Check Fleet Server health tags: - Fleet internals x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/kubernetes: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/kubernetes
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. operationId: get-fleet-kubernetes parameters: - description: If true, returns the manifest as a downloadable file in: query name: download required: false schema: type: boolean - description: Fleet Server host URL to include in the manifest in: query name: fleetServer required: false schema: type: string - description: Enrollment token to include in the manifest in: query name: enrolToken required: false schema: type: string responses: '200': content: application/json: examples: getK8sManifestExample: description: The Kubernetes manifest for deploying Elastic Agent value: item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: additionalProperties: false type: object properties: item: type: string required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get a full K8s agent manifest tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/kubernetes/download: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/kubernetes/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. operationId: get-fleet-kubernetes-download parameters: - description: If true, returns the manifest as a downloadable file in: query name: download required: false schema: type: boolean - description: Fleet Server host URL to include in the manifest in: query name: fleetServer required: false schema: type: string - description: Enrollment token to include in the manifest in: query name: enrolToken required: false schema: type: string responses: '200': content: application/json: examples: getDownloadK8sManifestExample: description: The Kubernetes manifest download value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: type: string description: Successful response — returns the Kubernetes manifest as a YAML file download '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No manifest was found value: error: Not Found message: Agent manifest not found statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Download an agent manifest tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/logstash_api_keys: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/logstash_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: examples: postLogstashApiKeyExample: description: The generated Logstash API key value: api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA schema: additionalProperties: false type: object properties: api_key: type: string required: - api_key description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Generate a Logstash API key tags: - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/message_signing_service/rotate_key_pair: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Set to true to confirm you understand the risks of rotating the key pair in: query name: acknowledge required: false schema: default: false type: boolean responses: '200': content: application/json: examples: rotateKeyPairSuccessExample: description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: message: Key pair rotated successfully. schema: additionalProperties: false type: object properties: message: type: string required: - message description: Key pair rotated successfully '400': content: application/json: examples: acknowledgeRequiredExample: description: Request was rejected because the acknowledge query parameter was not set to true value: error: Bad Request message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '500': content: application/json: examples: serviceUnavailableExample: description: The message signing service is not available value: error: Internal Server Error message: Failed to rotate key pair. Message signing service is unavailable! statusCode: 500 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Internal Server Error summary: Rotate a Fleet message signing key pair tags: - Message Signing Service x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/outputs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. operationId: get-fleet-outputs parameters: [] responses: '200': content: application/json: examples: getOutputsExample: description: List of Fleet outputs value: items: - hosts: - https://elasticsearch.example.com:9200 id: output-id-1 is_default: true is_default_monitoring: true name: Default output type: elasticsearch page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get outputs tags: - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postOutputRequestExample: description: Create a new Elasticsearch output value: hosts: - https://elasticsearch.example.com:9200 is_default: false is_default_monitoring: false name: My output type: elasticsearch schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' responses: '200': content: application/json: examples: postOutputExample: description: The created Fleet output value: item: hosts: - https://elasticsearch.example.com:9200 id: output-id-2 is_default: false is_default_monitoring: false name: My output type: elasticsearch schema: additionalProperties: false type: object properties: item: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create output tags: - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/outputs/{outputId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the output in: path name: outputId required: true schema: type: string responses: '200': content: application/json: examples: deleteOutputExample: description: The output was successfully deleted value: id: output-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No output was found with the given ID value: error: Not Found message: Output output-id-1 not found statusCode: 404 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Not Found summary: Delete output tags: - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. operationId: get-fleet-outputs-outputid parameters: - description: The ID of the output in: path name: outputId required: true schema: type: string responses: '200': content: application/json: examples: getOutputExample: description: A Fleet output value: item: hosts: - https://elasticsearch.example.com:9200 id: output-id-1 is_default: true is_default_monitoring: true name: Default output type: elasticsearch schema: additionalProperties: false type: object properties: item: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No output was found with the given ID value: error: Not Found message: Output output-id-1 not found statusCode: 404 description: Not Found summary: Get output tags: - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the output in: path name: outputId required: true schema: type: string requestBody: content: application/json: examples: putOutputRequestExample: description: Update a Fleet output value: hosts: - https://updated-elasticsearch.example.com:9200 name: Updated output schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: examples: putOutputExample: description: The updated Fleet output value: item: hosts: - https://updated-elasticsearch.example.com:9200 id: output-id-1 is_default: true is_default_monitoring: true name: Updated output type: elasticsearch schema: additionalProperties: false type: object properties: item: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No output was found with the given ID value: error: Not Found message: Output output-id-1 not found statusCode: 404 description: Not Found summary: Update output tags: - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/outputs/{outputId}/health: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/outputs/{outputId}/health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-outputs-outputid-health parameters: - description: The ID of the output in: path name: outputId required: true schema: type: string responses: '200': content: application/json: examples: getOutputHealthExample: description: The latest health status of a Fleet output value: message: '' state: HEALTHY timestamp: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: message: description: long message if unhealthy type: string state: description: state of output, HEALTHY or DEGRADED type: string timestamp: description: timestamp of reported state type: string required: - state - message - timestamp description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get the latest output health tags: - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/package_policies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all package policies. operationId: get-fleet-package-policies parameters: - description: Page number in: query name: page required: false schema: type: number - description: Number of results per page in: query name: perPage required: false schema: type: number - description: Field to sort results by in: query name: sortField required: false schema: type: string - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: enum: - desc - asc type: string - description: When true, only show policies with available upgrades in: query name: showUpgradeable required: false schema: type: boolean - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string - description: When true, include the agent count per package policy in: query name: withAgentCount required: false schema: type: boolean responses: '200': content: application/json: examples: getPackagePoliciesExample: description: List of package policies value: items: - created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get package policies tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new package policy and assign it to an agent policy. operationId: post-fleet-package-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postPackagePolicyRequestExample: description: Create a new nginx package policy value: inputs: {} name: nginx-1 namespace: default package: name: nginx version: 1.20.0 policy_ids: - agent-policy-id-1 schema: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string description: description: Package policy description type: string enabled: type: boolean force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier type: string inputs: items: additionalProperties: false type: object properties: config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled maxItems: 1000 type: array is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false deprecated: true description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - name - inputs - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 100 nullable: true type: array description: description: Policy description. type: string force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean id: description: Policy unique identifier. type: string inputs: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object name: description: Unique name for the policy. type: string namespace: description: Policy namespace. When not specified, it inherits the agent policy namespace. type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Deprecated. Use policy_ids instead. nullable: true type: string policy_ids: description: IDs of the agent policies which that package policy will be added to. items: type: string maxItems: 1000 type: array supports_agentless: default: false deprecated: true description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object required: - name - package description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: examples: postPackagePolicyExample: description: The created package policy value: item: created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-2 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '409': content: application/json: examples: conflictExample: description: A package policy with the same name already exists value: error: Conflict message: An error message describing what went wrong statusCode: 409 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Conflict summary: Create a package policy tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/package_policies/_bulk_get: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get multiple package policies by ID. operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: postBulkGetPackagePoliciesRequestExample: description: Retrieve multiple package policies by ID value: ids: - package-policy-id-1 - package-policy-id-2 schema: additionalProperties: false type: object properties: ids: description: list of package policy ids items: type: string maxItems: 1000 type: array ignoreMissing: type: boolean required: - ids responses: '200': content: application/json: examples: postBulkGetPackagePoliciesExample: description: The requested package policies value: items: - created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by maxItems: 10000 type: array required: - items description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: One or more package policies were not found value: error: Not Found message: Package policy package-policy-id-2 not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Bulk get package policies tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/package_policies/{packagePolicyId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the package policy in: path name: packagePolicyId required: true schema: type: string - description: When true, delete the package policy even if it is managed in: query name: force required: false schema: type: boolean responses: '200': content: application/json: examples: deletePackagePolicyExample: description: The package policy was successfully deleted value: id: package-policy-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Delete a package policy tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a package policy by ID. operationId: get-fleet-package-policies-packagepolicyid parameters: - description: The ID of the package policy in: path name: packagePolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: examples: getPackagePolicyExample: description: A package policy value: item: created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1 namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No package policy was found with the given ID value: error: Not Found message: Package policy package-policy-id-1 not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Get a package policy tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a package policy by ID. operationId: put-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the package policy in: path name: packagePolicyId required: true schema: type: string - description: 'Format for the response: simplified or legacy' in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: examples: putPackagePolicyRequestExample: description: Update a package policy value: enabled: true inputs: {} name: nginx-1-updated namespace: default package: name: nginx version: 1.20.0 policy_ids: - agent-policy-id-1 schema: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string description: description: Package policy description type: string enabled: type: boolean force: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array inputs: items: additionalProperties: false type: object properties: config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled maxItems: 1000 type: array is_managed: type: boolean name: type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object version: type: string - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 100 nullable: true type: array description: description: Policy description. type: string force: description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean id: description: Policy unique identifier. type: string inputs: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object name: description: Unique name for the policy. type: string namespace: description: Policy namespace. When not specified, it inherits the agent policy namespace. type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Deprecated. Use policy_ids instead. nullable: true type: string policy_ids: description: IDs of the agent policies which that package policy will be added to. items: type: string maxItems: 1000 type: array supports_agentless: default: false deprecated: true description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. nullable: true type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object required: - name - package responses: '200': content: application/json: examples: putPackagePolicyExample: description: The updated package policy value: item: created_at: '2024-01-15T10:00:00.000Z' enabled: true id: package-policy-id-1 inputs: [] name: nginx-1-updated namespace: default package: name: nginx title: Nginx version: 1.20.0 policy_ids: - agent-policy-id-1 updated_at: '2024-01-15T11:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: description: Package policy unique identifier. type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '403': content: application/json: examples: forbiddenExample: description: The update is not authorized for this package value: error: Forbidden message: An error message describing what went wrong statusCode: 403 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Forbidden summary: Update a package policy tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/package_policies/delete: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDeletePackagePoliciesRequestExample: description: Delete multiple package policies by ID value: packagePolicyIds: - package-policy-id-1 - package-policy-id-2 schema: additionalProperties: false type: object properties: force: type: boolean packagePolicyIds: items: type: string maxItems: 1000 type: array required: - packagePolicyIds responses: '200': content: application/json: examples: postDeletePackagePoliciesExample: description: Results of the bulk delete operation value: - id: package-policy-id-1 success: true - id: package-policy-id-2 success: true schema: items: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: message: type: string required: - message id: type: string name: type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Use `policy_ids` instead nullable: true type: string policy_ids: items: type: string maxItems: 10000 type: array statusCode: type: number success: type: boolean required: - id - success - policy_ids - package maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Bulk delete package policies tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/package_policies/upgrade: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postUpgradePackagePoliciesRequestExample: description: Upgrade package policies to the latest version value: packagePolicyIds: - package-policy-id-1 schema: additionalProperties: false type: object properties: packagePolicyIds: items: type: string maxItems: 1000 type: array required: - packagePolicyIds responses: '200': content: application/json: examples: postUpgradePackagePoliciesExample: description: Results of the upgrade operation value: - id: package-policy-id-1 name: nginx-1 success: true schema: items: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: message: type: string required: - message id: type: string name: type: string statusCode: type: number success: type: boolean required: - id - success maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Upgrade a package policy tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/package_policies/upgrade/dryrun: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postDryRunPackagePoliciesRequestExample: description: Dry run an upgrade of a package policy value: packagePolicyIds: - package-policy-id-1 schema: additionalProperties: false type: object properties: packagePolicyIds: items: type: string maxItems: 1000 type: array packageVersion: type: string required: - packagePolicyIds responses: '200': content: application/json: examples: postDryRunPackagePoliciesExample: description: Preview of the package policy upgrade diff value: - diff: - id: package-policy-id-1 name: nginx-1 package: name: nginx version: 1.20.0 - name: nginx-1 package: name: nginx version: 1.21.0 hasErrors: false name: nginx-1 schema: items: additionalProperties: false type: object properties: agent_diff: items: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: namespace: type: string required: - namespace id: type: string meta: additionalProperties: true type: object properties: package: additionalProperties: true type: object properties: name: type: string version: type: string required: - name - version required: - package name: type: string package_policy_id: type: string processors: items: additionalProperties: true type: object properties: add_fields: additionalProperties: true type: object properties: fields: additionalProperties: anyOf: - type: string - type: number type: object target: type: string required: - target - fields required: - add_fields maxItems: 10000 type: array revision: type: number streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - data_stream maxItems: 10000 type: array type: type: string use_output: type: string required: - id - name - revision - type - data_stream - use_output - package_policy_id maxItems: 10000 type: array maxItems: 1 type: array body: additionalProperties: false type: object properties: message: type: string required: - message diff: items: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array agents: type: number cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array - additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that input. Defaults to `true` (enabled). type: boolean streams: additionalProperties: additionalProperties: false type: object properties: deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object x-oas-optional: true description: Package policy inputs. is_managed: type: boolean name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: description: Package policy revision. type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array spaceIds: items: type: string maxItems: 100 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: string - type: number - type: boolean - items: type: string maxItems: 100 type: array - items: type: number maxItems: 100 type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable. Refer to the integration documentation for more information. type: object x-oas-optional: true description: Package level variable. version: description: Package policy ES version. type: string required: - name - enabled - inputs - revision - updated_at - updated_by - created_at - created_by - additionalProperties: true type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 nullable: true type: array cloud_connector_id: description: ID of the cloud connector associated with this package policy. nullable: true type: string cloud_connector_name: description: Transient field for cloud connector name during creation. maxLength: 255 minLength: 1 nullable: true type: string created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string maxItems: 100 type: array enabled: type: boolean errors: items: additionalProperties: false type: object properties: key: type: string message: type: string required: - message maxItems: 10 type: array force: type: boolean global_data_tags: items: additionalProperties: false type: object properties: name: description: The name of the custom field. Cannot contain spaces. type: string value: anyOf: - type: string - type: number description: The value of the custom field. required: - name - value maxItems: 100 nullable: true type: array id: type: string inputs: items: additionalProperties: false type: object properties: compiled_input: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string name: type: string policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: nullable: true config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string maxItems: 100 type: array type: type: string required: - dataset deprecated: additionalProperties: false type: object properties: description: type: string replaced_by: additionalProperties: type: string type: object since: type: string required: - description enabled: type: boolean id: type: string keep_enabled: type: boolean migrate_from: type: string release: enum: - ga - beta - experimental type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream maxItems: 1000 type: array type: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input maxItems: 100 type: array is_managed: type: boolean missingVars: items: type: string maxItems: 100 type: array name: description: Unique name for the package policy. type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: nullable: true type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features maxItems: 100 type: array fips_compatible: type: boolean name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version package_agent_version_condition: type: string policy_id: deprecated: true description: ID of the agent policy which the package policy will be added to. nullable: true type: string policy_ids: items: description: IDs of the agent policies which that package policy will be added to. type: string maxItems: 1000 type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 1000 type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean supports_cloud_connector: default: false description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean updated_at: type: string updated_by: type: string var_group_selections: additionalProperties: type: string description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: nullable: true required: - value description: Package variable (see integration documentation for more information) type: object version: description: Package policy ES version. type: string required: - name - enabled - inputs maxItems: 2 type: array hasErrors: type: boolean name: type: string statusCode: type: number required: - hasErrors maxItems: 10000 type: array description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Dry run a package policy upgrade tags: - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/proxies: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/proxies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-proxies parameters: [] responses: '200': content: application/json: examples: getFleetProxiesExample: description: List of Fleet proxies value: items: - id: proxy-id-1 is_preconfigured: false name: My proxy url: http://proxy.example.com:3128 page: 1 perPage: 20 total: 1 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get proxies tags: - Fleet proxies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/proxies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postFleetProxyRequestExample: description: Create a new Fleet proxy value: name: My proxy url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - url - name responses: '200': content: application/json: examples: postFleetProxyExample: description: The created Fleet proxy value: item: id: proxy-id-2 is_preconfigured: false name: My proxy url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a proxy tags: - Fleet proxies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/proxies/{itemId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/fleet/proxies/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the proxy in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: deleteFleetProxyExample: description: The Fleet proxy was successfully deleted value: id: proxy-id-1 schema: additionalProperties: false type: object properties: id: type: string required: - id description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No proxy was found with the given ID value: error: Not Found message: Fleet proxy proxy-id-1 not found statusCode: 404 description: Not Found summary: Delete a proxy tags: - Fleet proxies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/proxies/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-proxies-itemid parameters: - description: The ID of the proxy in: path name: itemId required: true schema: type: string responses: '200': content: application/json: examples: getFleetProxyExample: description: A Fleet proxy value: item: id: proxy-id-1 is_preconfigured: false name: My proxy url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No proxy was found with the given ID value: error: Not Found message: Fleet proxy proxy-id-1 not found statusCode: 404 description: Not Found summary: Get a proxy tags: - Fleet proxies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/proxies/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The ID of the proxy in: path name: itemId required: true schema: type: string requestBody: content: application/json: examples: putFleetProxyRequestExample: description: Update a Fleet proxy value: name: Updated proxy url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - certificate_authorities - certificate - certificate_key responses: '200': content: application/json: examples: putFleetProxyExample: description: The updated Fleet proxy value: item: id: proxy-id-1 is_preconfigured: false name: Updated proxy url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No proxy was found with the given ID value: error: Not Found message: Proxy proxy-id-1 not found statusCode: 404 description: Not Found summary: Update a proxy tags: - Fleet proxies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/service_tokens: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/service_tokens
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: postGenerateServiceTokenRequestExample: description: Generate a service token for a remote Fleet Server value: remote: true schema: additionalProperties: false nullable: true type: object properties: remote: default: false type: boolean responses: '200': content: application/json: examples: postGenerateServiceTokenExample: description: The generated Fleet Server service token value: name: elastic/fleet-server/token-1234567890 value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: additionalProperties: false type: object properties: name: type: string value: type: string required: - name - value description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Create a service token tags: - Fleet service tokens x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/settings: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. operationId: get-fleet-settings parameters: [] responses: '200': content: application/json: examples: getSettingsExample: description: The current Fleet settings value: item: delete_unenrolled_agents: enabled: false is_preconfigured: false has_seen_add_data_notice: true id: fleet-default-settings output_secret_storage_requirements_met: true prerelease_integrations_enabled: false secret_storage_requirements_met: true version: WzEsMV0= schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: action_secret_storage_requirements_met: type: boolean delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured download_source_auth_secret_storage_requirements_met: type: boolean has_seen_add_data_notice: type: boolean id: type: string ilm_migration_status: additionalProperties: false type: object properties: logs: enum: - success nullable: true type: string metrics: enum: - success nullable: true type: string synthetics: enum: - success nullable: true type: string integration_knowledge_enabled: type: boolean output_secret_storage_requirements_met: type: boolean preconfigured_fields: items: enum: - fleet_server_hosts type: string maxItems: 1 type: array prerelease_integrations_enabled: type: boolean secret_storage_requirements_met: type: boolean ssl_secret_storage_requirements_met: type: boolean use_space_awareness_migration_started_at: nullable: true type: string use_space_awareness_migration_status: enum: - pending - success - error type: string version: type: string required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: Fleet settings have not been initialized value: error: Not Found message: Settings not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Get settings tags: - Fleet internals x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: putSettingsRequestExample: description: Update Fleet settings to enable pre-release integrations value: prerelease_integrations_enabled: true schema: additionalProperties: false type: object properties: additional_yaml_config: deprecated: true type: string delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured has_seen_add_data_notice: deprecated: true type: boolean integration_knowledge_enabled: type: boolean kibana_ca_sha256: deprecated: true type: string kibana_urls: deprecated: true items: format: uri type: string maxItems: 10 type: array prerelease_integrations_enabled: type: boolean responses: '200': content: application/json: examples: putSettingsExample: description: The updated Fleet settings value: item: delete_unenrolled_agents: enabled: false is_preconfigured: false has_seen_add_data_notice: true id: fleet-default-settings output_secret_storage_requirements_met: true prerelease_integrations_enabled: true secret_storage_requirements_met: true version: WzIsMV0= schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: action_secret_storage_requirements_met: type: boolean delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured download_source_auth_secret_storage_requirements_met: type: boolean has_seen_add_data_notice: type: boolean id: type: string ilm_migration_status: additionalProperties: false type: object properties: logs: enum: - success nullable: true type: string metrics: enum: - success nullable: true type: string synthetics: enum: - success nullable: true type: string integration_knowledge_enabled: type: boolean output_secret_storage_requirements_met: type: boolean preconfigured_fields: items: enum: - fleet_server_hosts type: string maxItems: 1 type: array prerelease_integrations_enabled: type: boolean secret_storage_requirements_met: type: boolean ssl_secret_storage_requirements_met: type: boolean use_space_awareness_migration_started_at: nullable: true type: string use_space_awareness_migration_status: enum: - pending - success - error type: string version: type: string required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: Fleet settings have not been initialized value: error: Not Found message: Settings not found statusCode: 404 schema: additionalProperties: false type: object properties: message: type: string required: - message description: Not Found summary: Update settings tags: - Fleet internals x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/setup: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/fleet/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: examples: fleetSetupSuccessExample: description: Fleet initialized successfully with no non-fatal errors value: isInitialized: true nonFatalErrors: [] fleetSetupWithNonFatalErrorsExample: description: Fleet initialized but encountered non-fatal errors during setup value: isInitialized: true nonFatalErrors: - message: Package fleet_server not found in registry name: PackageNotFoundError schema: additionalProperties: false description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: isInitialized: type: boolean nonFatalErrors: items: additionalProperties: false type: object properties: message: type: string name: type: string required: - name - message maxItems: 10000 type: array required: - isInitialized - nonFatalErrors description: Fleet setup completed '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '500': content: application/json: examples: internalErrorResponseExample: description: Example of an internal server error response value: error: Internal Server Error message: An error message describing what went wrong statusCode: 500 schema: additionalProperties: false description: Internal Server Error type: object properties: message: type: string required: - message description: Internal Server Error summary: Initiate Fleet setup tags: - Fleet internals x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/space_settings: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/space_settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the Fleet settings for the current Kibana space. operationId: get-fleet-space-settings parameters: [] responses: '200': content: application/json: examples: getSpaceSettingsExample: description: The Fleet settings for the current Kibana space value: item: allowed_namespace_prefixes: - team-a - team-b schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: allowed_namespace_prefixes: items: type: string maxItems: 100 type: array managed_by: type: string required: - allowed_namespace_prefixes required: - item description: Successful response summary: Get space settings tags: [] x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/fleet/space_settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. operationId: put-fleet-space-settings parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: putSpaceSettingsRequestExample: description: Update allowed namespace prefixes for the current Kibana space value: allowed_namespace_prefixes: - team-a - team-b schema: additionalProperties: false type: object properties: allowed_namespace_prefixes: items: type: string maxItems: 10 type: array responses: '200': content: application/json: examples: putSpaceSettingsExample: description: The updated Fleet settings for the current Kibana space value: item: allowed_namespace_prefixes: - team-a - team-b schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: allowed_namespace_prefixes: items: type: string maxItems: 100 type: array managed_by: type: string required: - allowed_namespace_prefixes required: - item description: Successful response summary: Create space settings tags: [] x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/uninstall_tokens: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/uninstall_tokens
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs in: query name: policyId required: false schema: maxLength: 50 type: string - description: Partial match filtering for uninstall token values in: query name: search required: false schema: maxLength: 50 type: string - description: The number of items to return in: query name: perPage required: false schema: minimum: 5 type: number - description: Page number in: query name: page required: false schema: minimum: 1 type: number responses: '200': content: application/json: examples: getUninstallTokensExample: description: List of uninstall token metadata for agent policies value: items: - created_at: '2024-01-01T00:00:00.000Z' id: token-id-1 namespaces: - default policy_id: policy-id-1 policy_name: Default policy - created_at: '2024-01-02T00:00:00.000Z' id: token-id-2 namespaces: - production policy_id: policy-id-2 policy_name: Production policy page: 1 perPage: 20 total: 2 schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: created_at: type: string id: type: string namespaces: items: type: string maxItems: 100 type: array policy_id: type: string policy_name: nullable: true type: string required: - id - policy_id - created_at maxItems: 10000 type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage description: Successful response '400': content: application/json: examples: conflictingQueryParamsExample: description: Both policyId and search query parameters were provided value: error: Bad Request message: Query parameters `policyId` and `search` cannot be used at the same time. statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request summary: Get metadata for latest uninstall tokens tags: - Fleet uninstall tokens x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/fleet/uninstall_tokens/{uninstallTokenId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - description: The ID of the uninstall token in: path name: uninstallTokenId required: true schema: type: string responses: '200': content: application/json: examples: getUninstallTokenExample: description: Decrypted uninstall token for an agent policy value: item: created_at: '2024-01-01T00:00:00.000Z' id: token-id-1 namespaces: - default policy_id: policy-id-1 policy_name: Default policy token: CKHJsJcBqNwIRcRBNDaE schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: created_at: type: string id: type: string namespaces: items: type: string maxItems: 100 type: array policy_id: type: string policy_name: nullable: true type: string token: type: string required: - id - policy_id - created_at - token required: - item description: Successful response '400': content: application/json: examples: genericErrorResponseExample: description: Example of a generic error response value: error: Bad Request message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false description: Generic Error type: object properties: attributes: nullable: true error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes description: Bad Request '404': content: application/json: examples: notFoundExample: description: No uninstall token was found with the given ID value: error: Not Found message: Uninstall Token not found with ID token-id-1 statusCode: 404 description: Not Found summary: Get a decrypted uninstall token tags: - Fleet uninstall tokens x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a value list using the list ID. > info > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - description: Value list identifier to delete, including all of its list items. in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Determines whether exception items referencing this value list should be deleted. in: query name: deleteReferences required: false schema: default: false example: false type: boolean - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. in: query name: ignoreReferences required: false schema: default: false example: false type: boolean responses: '200': content: application/json: examples: ipList: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: List of bad internet ips. id: 21b01cfb-058d-44b9-838c-282be16c91cd immutable: false name: Bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"ip_list\" was not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a value list using the list ID. operationId: ReadList parameters: - description: Value list identifier (`id`) returned when the list was created. in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: My bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list details tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update specific fields of an existing list using the list `id`. operationId: PatchList requestBody: content: application/json: examples: patchName: value: id: ip_list name: Bad ips list - UPDATED schema: example: id: ip_list name: Bad ips list - UPDATED type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Bad ips list - UPDATED tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: name: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new value list. operationId: CreateList requestBody: content: application/json: examples: ip: value: description: This list describes bad internet ips id: ip_list name: Simple list with ips type: ip ip_range: value: description: This list has ip ranges id: ip_range_list name: Simple list with ip ranges type: ip_range keyword: value: description: This list describes bad host names id: keyword_list name: Simple list with a keyword type: keyword keyword_custom_format: value: description: This parses the first found ipv4 only id: keyword_custom_format_list name: Simple list with a keyword using a custom format type: keyword schema: type: object properties: description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' type: $ref: '#/components/schemas/Security_Lists_API_ListType' version: default: 1 minimum: 1 type: integer required: - name - description - type description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Simple list with ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 ip_range: value: _version: WzAsMV0= '@timestamp': '2025-01-09T18:23:52.241Z' created_at: '2025-01-09T18:23:52.241Z' created_by: elastic description: This list has ip ranges id: ip_range_list immutable: false name: Simple list with ip ranges tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 type: ip_range updated_at: '2025-01-09T18:23:52.241Z' updated_by: elastic version: 1 keyword: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:24:55.786Z' created_at: '2025-01-09T18:24:55.786Z' created_by: elastic description: This list describes bad host names id: keyword_list immutable: false name: Simple list with a keyword tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 type: keyword updated_at: '2025-01-09T18:24:55.786Z' updated_by: elastic version: 1 keyword_custom_format: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:25:39.604Z' created_at: '2025-01-09T18:25:39.604Z' created_by: elastic description: This parses the first found ipv4 only id: keyword_custom_format_list immutable: false name: Simple list with a keyword using a custom format tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 type: keyword updated_at: '2025-01-09T18:25:39.604Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: notFound: value: message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list id: "keyword_custom_format_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateList requestBody: content: application/json: examples: replaceList: value: description: Latest list of bad ips id: ip_list name: Bad ips - updated schema: example: description: Latest list of bad ips id: ip_list name: Bad ips - updated type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - name - description description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: Latest list of bad ips id: ip_list immutable: false name: Bad ips - updated tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. operationId: FindLists parameters: - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of value lists to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - description: | Filters the returned results according to the value of the specified field, using the : syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: ipList: value: cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d data: - _version: WzAsMV0= '@timestamp': | 2025-01-08T04:47:34.273Z created_at: | 2025-01-08T04:47:34.273Z created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: | 2025-01-08T04:47:34.273Z updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_List' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value lists tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists/index: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete the `.lists` and `.items` data streams. operationId: DeleteListIndex responses: '200': content: application/json: examples: acknowledged: value: acknowledged: true schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: examples: badRequest: value: message: 'Unable to delete value list data streams: invalid or missing index metadata' status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: The value list data stream was not found in this space status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete value list data streams tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Verify that `.lists` and `.items` data streams exist. operationId: ReadListIndex responses: '200': content: application/json: examples: bothExist: value: list_index: true list_item_index: true schema: type: object properties: list_index: type: boolean list_item_index: type: boolean required: - list_index - list_item_index description: Successful response '400': content: application/json: examples: badRequest: value: message: Unable to read value list data stream status for this space status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/index] is not authorized; list read permissions are required statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: Value list backing indices were not found for this space status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream(s) not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get status of value list data streams tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: deprecated: true description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space are now created as part of supported workflows; calling this explicitly is rarely required. **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming indices exist with `GET /api/lists/index`. Creates the `.lists` and `.items` data streams in the current Kibana space. operationId: CreateListIndex responses: '200': content: application/json: examples: acknowledged: value: acknowledged: true schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: examples: badRequest: value: message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists. status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: | [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'data stream: \".lists-default\" and \".items-default\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create list data streams tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists/items: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a value list item using its `id`, or its `list_id` and `value` fields. operationId: DeleteListItem parameters: - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListItemId' - description: Value list's identifier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 255.255.255.255 type: string - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: default: 'false' enum: - 'true' - 'false' - wait_for example: false type: string responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list item tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a value list item. operationId: ReadListItem parameters: - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 127.0.0.2 type: string responses: '200': content: application/json: examples: ip: value: _version: WzExLDFd '@timestamp': '2025-01-08T05:16:25.882Z' created_at: '2025-01-08T05:16:25.882Z' created_by: elastic id: qN1XRJQBs4HAK3VQs3Gc list_id: ip_list tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 type: ip updated_at: '2025-01-08T05:16:25.882Z' updated_by: elastic value: 127.0.0.2 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get a value list item tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update specific fields of an existing value list item using the item `id`. operationId: PatchListItem requestBody: content: application/json: examples: changeValue: value: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 schema: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id description: Value list item's properties required: true responses: '200': content: application/json: examples: ipItem: value: _version: WzE5LDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:23:37.602Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list item tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a value list item and associate it with the specified value list. All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. > info > Before creating a list item, you must create a list. operationId: CreateListItem requestBody: content: application/json: examples: ip: value: list_id: ip_list value: 127.0.0.1 ip_range: value: list_id: ip_range_list value: 192.168.0.0/16 keyword: value: list_id: keyword_list value: zeek schema: type: object properties: id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for example: wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - list_id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 ip_range: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:33:08.202Z' created_at: '2025-01-09T18:33:08.202Z' created_by: elastic id: ip_range_item list_id: ip_range_list tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 type: ip_range updated_at: '2025-01-09T18:33:08.202Z' updated_by: elastic value: 192.168.0.0/16 keyword: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:34:29.422Z' created_at: '2025-01-09T18:34:29.422Z' created_by: elastic id: 7f24737d-1da8-4626-a568-33070591bb4e list_id: keyword_list tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 type: keyword updated_at: '2025-01-09T18:34:29.422Z' updated_by: elastic value: zeek schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: listNotFound: value: message: 'list id: \"ip_list\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list item id: \"ip_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list item tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateListItem requestBody: content: application/json: examples: fullReplace: value: id: ip_item value: 255.255.255.255 schema: example: id: ip_item value: 255.255.255.255 type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list item tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists/items/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/items/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export list item values from the specified value list. operationId: ExportListItems parameters: - description: Value list's `id` to export. in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/ndjson: examples: ipLines: value: | 127.0.0.1 127.0.0.2 127.0.0.3 schema: description: A `.txt` file containing list items from the specified list example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: "unknown_list" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Export value list items tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists/items/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get all value list items in the specified list. operationId: FindListItems parameters: - description: Parent value list's `id` to page through items for. in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of list items to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: value format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - description: | Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - description: | Filters the returned results according to the value of the specified field, using the : syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: ip: value: cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d data: - _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request query]: list_id: Required' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list items tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists/items/_import: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/lists/items/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. You can import items to a new or existing list. operationId: ImportListItems parameters: - description: | List's id. Required when importing to an existing list. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: | Type of the importing list. Required when importing a new list whose list `id` is not specified. examples: ip: value: ip in: query name: type required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListType' - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: enum: - 'true' - 'false' - wait_for example: true type: string requestBody: content: multipart/form-data: examples: ipLinesFile: value: file: list_values.txt schema: type: object properties: file: description: A `.txt` or `.csv` file containing newline separated list items. example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: message: Either type or list_id need to be defined in the query status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: conflict: value: message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List with specified list_id does not exist response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Import value list items tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/lists/privileges: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/lists/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list APIs (`read` vs `all` operations) are available before you create or import lists. operationId: ReadListPrivileges responses: '200': content: application/json: examples: privileges: value: is_authenticated: true listItems: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .items-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic lists: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .lists-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic schema: type: object properties: is_authenticated: type: boolean listItems: $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' lists: $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' required: - lists - listItems - is_authenticated description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: 'Unable to resolve list privileges: invalid or missing space context for this request' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list privileges tags: - Security Lists API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/maintenance_window: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/maintenance_window
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: post-maintenance-window parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: createMaintenanceWindowRequest: description: | Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. summary: Create a maintenance window value: enabled: true schedule: custom: duration: 2h recurring: every: 1w occurrences: 10 onWeekDay: - MO - WE start: '2025-03-01T08:00:00.000Z' timezone: Europe/Amsterdam scope: alerting: query: kql: 'kibana.alert.tags: "infra"' title: Weekly Maintenance Window schema: additionalProperties: false type: object properties: enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. type: string required: - kql required: - query required: - alerting title: description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. type: string required: - title - schedule responses: '200': content: application/json: examples: createMaintenanceWindowResponse: description: | The response returned when a maintenance window is successfully created. summary: Create a maintenance window response value: created_at: '2025-02-25T10:00:00.000Z' created_by: elastic enabled: true id: f0cb1780-537a-4e34-8adf-3b4336862858 schedule: custom: duration: 2h recurring: every: 1w occurrences: 10 onWeekDay: - MO - WE start: '2025-03-01T08:00:00.000Z' timezone: Europe/Amsterdam scope: alerting: query: kql: 'kibana.alert.tags: "infra"' status: upcoming title: Weekly Maintenance Window updated_at: '2025-02-25T10:00:00.000Z' updated_by: elastic schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Create a maintenance window. tags: - maintenance-window x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/maintenance_window/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/maintenance_window/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: read-maintenance-window. operationId: get-maintenance-window-find parameters: - description: The title of the maintenance window. in: query name: title required: false schema: type: string - description: The user who created the maintenance window. in: query name: created_by required: false schema: type: string - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". in: query name: status required: false schema: items: enum: - running - finished - upcoming - archived - disabled type: string type: array - description: The page number to return. in: query name: page required: false schema: default: 1 maximum: 100 minimum: 1 type: number - description: The number of maintenance windows to return per page. in: query name: per_page required: false schema: default: 10 maximum: 100 minimum: 1 type: number responses: '200': content: application/json: examples: findMaintenanceWindowsResponse: description: | The response returned when maintenance windows are successfully found. summary: Find maintenance windows response value: maintenanceWindows: - created_at: '2025-02-25T10:00:00.000Z' created_by: elastic enabled: true id: f0cb1780-537a-4e34-8adf-3b4336862858 schedule: custom: duration: 2h recurring: every: 1w occurrences: 10 onWeekDay: - MO - WE start: '2025-03-01T08:00:00.000Z' timezone: Europe/Amsterdam scope: alerting: query: kql: 'kibana.alert.tags: "infra"' status: upcoming title: Weekly Maintenance Window updated_at: '2025-02-25T10:00:00.000Z' updated_by: elastic - created_at: '2025-03-10T09:00:00.000Z' created_by: elastic enabled: true id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 schedule: custom: duration: 1h recurring: end: '2025-12-31T00:00:00.000Z' every: 2w onWeekDay: - FR start: '2025-04-01T10:00:00.000Z' timezone: US/Eastern scope: alerting: query: kql: 'kibana.alert.tags: "database"' status: upcoming title: Database Upgrade Window updated_at: '2025-03-15T14:30:00.000Z' updated_by: elastic page: 1 per_page: 10 total: 2 schema: additionalProperties: false type: object properties: maintenanceWindows: description: The list of maintenance windows. items: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule type: array page: description: The current page number. type: number per_page: description: The number of maintenance windows returned per page. type: number total: description: The total number of maintenance windows that match the query. type: number required: - page - per_page - total - maintenanceWindows description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Search for a maintenance window. tags: - maintenance-window x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/maintenance_window/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: delete-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be deleted. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Delete a maintenance window. tags: - maintenance-window x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: read-maintenance-window. operationId: get-maintenance-window-id parameters: - description: The identifier for the maintenance window. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getMaintenanceWindowResponse: description: | The response returned when a maintenance window is successfully retrieved. summary: Get a maintenance window response value: created_at: '2025-02-25T10:00:00.000Z' created_by: elastic enabled: true id: f0cb1780-537a-4e34-8adf-3b4336862858 schedule: custom: duration: 2h recurring: every: 1w occurrences: 10 onWeekDay: - MO - WE start: '2025-03-01T08:00:00.000Z' timezone: Europe/Amsterdam scope: alerting: query: kql: 'kibana.alert.tags: "infra"' status: upcoming title: Weekly Maintenance Window updated_at: '2025-02-25T10:00:00.000Z' updated_by: elastic schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Get maintenance window details. tags: - maintenance-window x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: patch-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: updateMaintenanceWindowRequest: description: | Update a maintenance window to change its title, schedule, and scope. summary: Update a maintenance window value: enabled: true schedule: custom: duration: 1h recurring: end: '2025-12-31T00:00:00.000Z' every: 2w onWeekDay: - FR start: '2025-04-01T10:00:00.000Z' timezone: US/Eastern scope: alerting: query: kql: 'kibana.alert.tags: "database"' title: Updated maintenance window schema: additionalProperties: false type: object properties: enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. type: string required: - kql required: - query required: - alerting title: description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. type: string responses: '200': content: application/json: examples: updateMaintenanceWindowResponse: description: | The response returned when a maintenance window is successfully updated. summary: Update a maintenance window response value: created_at: '2025-02-25T10:00:00.000Z' created_by: elastic enabled: true id: f0cb1780-537a-4e34-8adf-3b4336862858 schedule: custom: duration: 1h recurring: end: '2025-12-31T00:00:00.000Z' every: 2w onWeekDay: - FR start: '2025-04-01T10:00:00.000Z' timezone: US/Eastern scope: alerting: query: kql: 'kibana.alert.tags: "database"' status: upcoming title: Updated maintenance window updated_at: '2025-03-15T14:30:00.000Z' updated_by: elastic schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. '409': description: Indicates that the maintenance window has already been updated by another user. summary: Update a maintenance window. tags: - maintenance-window x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/maintenance_window/{id}/_archive: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/maintenance_window/{id}/_archive
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: post-maintenance-window-id-archive parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be archived. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: archiveMaintenanceWindowResponse: description: | The response returned when a maintenance window is successfully archived. summary: Archive a maintenance window response value: created_at: '2025-02-25T10:00:00.000Z' created_by: elastic enabled: true id: f0cb1780-537a-4e34-8adf-3b4336862858 schedule: custom: duration: 2h recurring: every: 1w occurrences: 10 onWeekDay: - MO - WE start: '2025-03-01T08:00:00.000Z' timezone: Europe/Amsterdam scope: alerting: query: kql: 'kibana.alert.tags: "infra"' status: archived title: Weekly Maintenance Window updated_at: '2025-02-25T10:00:00.000Z' updated_by: elastic schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Archive a maintenance window. tags: - maintenance-window x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/maintenance_window/{id}/_unarchive: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. [Required authorization] Route required privileges: write-maintenance-window. operationId: post-maintenance-window-id-unarchive parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be unarchived. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: unarchiveMaintenanceWindowResponse: description: | The response returned when a maintenance window is successfully unarchived. summary: Unarchive a maintenance window response value: created_at: '2025-02-25T10:00:00.000Z' created_by: elastic enabled: true id: f0cb1780-537a-4e34-8adf-3b4336862858 schedule: custom: duration: 2h recurring: every: 1w occurrences: 10 onWeekDay: - MO - WE start: '2025-03-01T08:00:00.000Z' timezone: Europe/Amsterdam scope: alerting: query: kql: 'kibana.alert.tags: "infra"' status: upcoming title: Weekly Maintenance Window updated_at: '2025-02-25T10:00:00.000Z' updated_by: elastic schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived - disabled type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Unarchive a maintenance window. tags: - maintenance-window x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/ml/saved_objects/sync: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/ml/saved_objects/sync
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. operationId: mlSync parameters: - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' responses: '200': content: application/json: examples: syncExample: $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' description: Indicates a successful call '401': content: application/json: examples: syncExample: $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' description: Authorization information is missing or invalid. summary: Sync saved objects in the default space tags: - ml x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/ml/saved_objects/update_jobs_spaces: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a list of jobs to add and/or remove them from given spaces. operationId: mlUpdateJobsSpaces requestBody: content: application/json: examples: updateADJobSpacesRequest: value: jobIds: - test-job jobType: anomaly-detector spacesToAdd: - default spacesToRemove: - '*' updateDFAJobSpacesRequest: value: jobIds: - test-job jobType: data-frame-analytics spacesToAdd: - default spacesToRemove: - '*' responses: '200': content: application/json: examples: successADResponse: value: test-job: success: true type: anomaly-detector successDFAResponse: value: test-job: success: true type: data-frame-analytics description: Indicates a successful call summary: Update jobs spaces tags: - ml x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/ml/saved_objects/update_trained_models_spaces: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a list of trained models to add and/or remove them from given spaces. operationId: mlUpdateTrainedModelsSpaces requestBody: content: application/json: examples: updateTrainedModelsSpacesRequest: value: modelIds: - test-model spacesToAdd: - default spacesToRemove: - '*' responses: '200': content: application/json: examples: successTMResponse: value: test-model: success: true type: trained-model" description: Indicates a successful call summary: Update trained models spaces tags: - ml x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/note: delete: description: | **Spaces method and path for this operation:**
delete /s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. The response has HTTP 200 with an empty body on success. Requires the **Timeline and Notes** write privilege (`notes_write`). operationId: DeleteNote requestBody: content: application/json: examples: deleteOne: summary: Delete a single note by id value: noteId: 709f99c6-89b6-4953-9160-35945c8e174e schema: oneOf: - nullable: true type: object properties: noteId: description: Saved object ID of the note to delete. type: string required: - noteId - nullable: true type: object properties: noteIds: description: Saved object IDs of the notes to delete. items: type: string nullable: true type: array required: - noteIds description: | Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. required: true responses: '200': description: The notes were deleted successfully. Response body is empty. summary: Delete one or more notes tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Returns Security Timeline notes as saved objects. **Query modes (mutually exclusive branches on the server):** 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. Requires the **Timeline and Notes** read privilege (`notes_read`). operationId: GetNotes parameters: - description: | Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. examples: multiple: summary: Multiple document ids (array) value: - id-one - id-two single: summary: Single document id value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b in: query name: documentIds schema: $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - description: | Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. examples: singleTimeline: summary: Single timeline id value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e in: query name: savedObjectIds schema: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - description: | Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. example: '1' in: query name: page schema: nullable: true type: string - description: | Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. example: '20' in: query name: perPage schema: nullable: true type: string - description: Search string for saved-objects find (list mode only). in: query name: search schema: nullable: true type: string - description: Field to sort by for saved-objects find (list mode only). in: query name: sortField schema: nullable: true type: string - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). example: desc in: query name: sortOrder schema: nullable: true type: string - description: | Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). in: query name: filter schema: nullable: true type: string - description: | Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 in: query name: createdByFilter schema: nullable: true type: string - description: | Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. in: query name: associatedFilter schema: $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: examples: notesPage: summary: Paged notes for a timeline value: notes: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc note: Escalated to tier-2 analyst noteId: 709f99c6-89b6-4953-9160-35945c8e174e timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e version: WzQ2LDFd totalCount: 1 schema: $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' description: Notes and total count for the requested mode. summary: Get notes tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: | **Spaces method and path for this operation:**
patch /s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates a new note or updates an existing one. **Create:** Send `note` and omit `noteId` to create a new saved object. **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. Requires the **Timeline and Notes** write privilege (`notes_write`). externalDocs: description: Add or update a note on a Timeline url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html operationId: PersistNoteRoute requestBody: content: application/json: examples: addNote: summary: Add a note on an event value: note: eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc note: Escalated to tier-2 analyst timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: type: object properties: note: $ref: '#/components/schemas/Security_Timeline_API_BareNote' description: Note payload (timeline, text, optional event linkage, metadata). noteId: description: The `savedObjectId` of the note to update. Omit when creating a new note. example: 709f99c6-89b6-4953-9160-35945c8e174e nullable: true type: string version: description: Saved object version string from a previous read; optional on update. example: WzQ2LDFd nullable: true type: string required: - note description: | Body must include the `note` object. For updates, include `noteId` (and optionally `version`). To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. required: true responses: '200': content: application/json: examples: persisted: summary: Persisted note wrapper value: note: eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc note: Escalated to tier-2 analyst noteId: 709f99c6-89b6-4953-9160-35945c8e174e timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e version: WzQ2LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' description: The persisted note, including `noteId` and `version`. summary: Add or update a note tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/observability_ai_assistant/chat/complete: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/observability_ai_assistant/chat/complete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new chat completion by using the Observability AI Assistant. The API returns the model's response based on the current conversation context. It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: observability-ai-assistant-chat-complete requestBody: content: application/json: examples: chatCompleteRequestExample: $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' schema: type: object properties: actions: items: $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' type: array connectorId: description: A unique identifier for the connector. type: string conversationId: description: A unique identifier for the conversation if you are continuing an existing conversation. type: string disableFunctions: description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. type: boolean instructions: description: An array of instruction objects, which can be either simple strings or detailed objects. items: $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' type: array messages: description: An array of message objects containing the conversation history. items: $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' type: array persist: description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. type: boolean title: description: A title for the conversation. type: string required: - messages - connectorId - persist responses: '200': content: application/json: examples: chatCompleteResponseExample: $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' schema: type: object description: Successful response summary: Generate a chat completion tags: - observability_ai_assistant x-codeSamples: - lang: cURL source: | curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' { "connectorId": "", "disableFunctions": false, "messages": [ { "@timestamp": "2025-06-25T23:45:00.000Z", "message": { "role": "user", "content": "Is my Elasticsearch cluster healthy right now?" } } ], "persist": false, "actions": [ { "name": "get_cluster_health", "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", "parameters": { "type": "object", "properties": { "includeShardStats": { "type": "boolean", "default": false } } } } ], "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] }' x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/history: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/history
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. operationId: OsqueryGetUnifiedHistory parameters: - description: The number of results to return per page. in: query name: pageSize required: false schema: default: 20 description: The number of results to return per page. maximum: 100 minimum: 1 type: integer - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. in: query name: nextPage required: false schema: description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. type: string - description: A search string to filter history entries by pack name, query text, or query ID. in: query name: kuery required: false schema: description: A search string to filter history entries by pack name, query text, or query ID. type: string - description: Comma-separated list of user IDs to filter live query history. in: query name: userIds required: false schema: description: Comma-separated list of user IDs to filter live query history. example: elastic,admin type: string - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. in: query name: sourceFilters required: false schema: description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. example: live,scheduled type: string - description: The start of the time range filter (ISO 8601). in: query name: startDate required: false schema: description: The start of the time range filter (ISO 8601). example: '2024-01-01T00:00:00Z' type: string - description: The end of the time range filter (ISO 8601). in: query name: endDate required: false schema: description: The end of the time range filter (ISO 8601). example: '2024-12-31T23:59:59Z' type: string responses: '200': content: application/json: examples: unifiedHistoryExample: summary: Example unified history response value: data: - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agentCount: 5 errorCount: 0 id: 3c42c847-eb30-4452-80e0-728584042334 queryName: uptime_query queryText: select * from uptime; source: Live sourceType: live successCount: 5 timestamp: '2024-07-26T09:59:32.220Z' totalRows: 42 userId: elastic - agentCount: 10 errorCount: 1 executionCount: 3 id: pack_my_pack_uptime_3 packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d packName: My Pack plannedTime: '2024-07-26T09:00:00.000Z' queryName: uptime queryText: select * from uptime; scheduleId: pack_my_pack_uptime source: Scheduled sourceType: scheduled successCount: 9 timestamp: '2024-07-26T09:00:00.000Z' totalRows: 100 hasMore: true nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... schema: $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' description: Indicates a successful call. summary: Get unified query history tags: - Security Osquery API x-state: Generally available; Added in 9.4.0 x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/live_queries: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/live_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all live queries. operationId: OsqueryFindLiveQueries parameters: - description: A KQL search string to filter live queries. in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - description: The page number to return. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - description: The number of results to return per page. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - description: The field to sort results by. in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - description: The sort order. in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: liveQueriesList: summary: A list of recent live queries value: data: items: - _source: '@timestamp': '2023-10-31T00:00:00Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2023-10-31T00:00:00Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 ecs_mapping: host.uptime: field: total_seconds id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d user_id: elastic total: 1 schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' description: Indicates a successful call. summary: Get live queries tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/live_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create and run a live query. operationId: OsqueryCreateLiveQuery requestBody: content: application/json: examples: singleQueryAllAgents: summary: Run a single query on all agents value: agent_all: true ecs_mapping: host.uptime: field: total_seconds query: select * from uptime; targetedQuery: summary: Run a query against specific agents value: agent_ids: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 query: select * from processes; schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' required: true responses: '200': content: application/json: examples: liveQueryCreated: summary: Live query created value: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agent_all: true agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' input_type: osquery queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; timeout: 120 type: INPUT_ACTION user_id: elastic schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' description: Indicates a successful call. summary: Create a live query tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/live_queries/{id}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/live_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a live query using the query ID. operationId: OsqueryGetLiveQueryDetails parameters: - description: The ID of the live query. in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string responses: '200': content: application/json: examples: liveQueryDetails: summary: Live query details with execution status value: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 docs: 1 failed: 0 id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 pending: 0 query: select * from uptime; responded: 1 status: completed successful: 1 status: completed user_id: elastic schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' description: Indicates a successful call. summary: Get live query details tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/live_queries/{id}/results/{actionId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the results of a live query using the query action ID. operationId: OsqueryGetLiveQueryResults parameters: - description: The ID of the live query. in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string - description: The ID of the query action. in: path name: actionId required: true schema: description: The ID of the query action that generated the live query results. example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - description: A KQL search string to filter results. in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - description: The page number to return. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - description: The number of results to return per page. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - description: The field to sort results by. in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - description: The sort order. in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: liveQueryResults: summary: Result rows from a live query execution value: data: edges: - _id: doc1 _source: action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agent: id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 osquery: total_seconds: '12345' - _id: doc2 _source: action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agent: id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 osquery: total_seconds: '67890' total: 2 schema: $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' description: Indicates a successful call. summary: Get live query results tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/packs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/packs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all query packs. operationId: OsqueryFindPacks parameters: - description: The page number to return. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - description: The number of results to return per page. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - description: The field to sort results by. in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - description: The sort order. in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: packsList: summary: A list of query packs value: data: - created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: my_pack queries: - id: ports interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' description: Indicates a successful call. summary: Get packs tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/packs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a query pack. operationId: OsqueryCreatePacks requestBody: content: application/json: examples: createPack: summary: Create a pack with a single query value: description: My pack enabled: true name: my_pack policy_ids: - my_policy_id queries: ports: ecs_mapping: client.port: field: port interval: 60 query: SELECT * FROM listening_ports; timeout: 120 schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' required: true responses: '200': content: application/json: examples: packCreated: summary: Pack created value: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: my_pack policy_ids: - my_policy_id queries: ports: interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: [] updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' description: Indicates a successful call. summary: Create a pack tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/packs/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a query pack using the pack ID. operationId: OsqueryDeletePacks parameters: - description: The pack ID. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: packDeleted: summary: Pack deleted (empty response body) value: {} schema: type: object properties: {} description: Indicates a successful call. summary: Delete a pack tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a query pack using the pack ID. operationId: OsqueryGetPacksDetails parameters: - description: The pack ID. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: packDetails: summary: Pack details value: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: my_pack policy_ids: - my_policy_id queries: ports: interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: {} updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' description: Indicates a successful call. summary: Get pack details tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a query pack using the pack ID. > info > You cannot update a prebuilt pack. operationId: OsqueryUpdatePacks parameters: - description: The pack ID. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' requestBody: content: application/json: examples: renamePack: summary: Rename a pack and update its description value: description: Updated pack description enabled: true name: my_pack_renamed schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' required: true responses: '200': content: application/json: examples: packUpdated: summary: Pack updated value: data: description: Updated pack description enabled: true name: my_pack_renamed policy_ids: - my_policy_id queries: ports: interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: [] updated_at: '2025-02-27T10:00:00.000Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' description: Indicates a successful call. summary: Update a pack tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/packs/{id}/copy: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/packs/{id}/copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. operationId: OsqueryCopyPacks parameters: - description: The ID of the pack to copy. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: copyPackExample: summary: Example response for copying a pack value: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: false name: my_pack_copy policy_ids: [] queries: - ecs_mapping: - key: client.port value: field: port id: ports interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: [] updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' description: Indicates a successful call. summary: Copy a pack tags: - Security Osquery API x-state: Generally available; Added in 9.4.0 x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/saved_queries: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/saved_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all saved queries. operationId: OsqueryFindSavedQueries parameters: - description: The page number to return. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - description: The number of results to return per page. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - description: The field to sort results by. in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - description: The sort order. in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: savedQueriesList: summary: A list of saved queries value: data: - created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: my_saved_query interval: '60' platform: linux,darwin query: select * from uptime; saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c timeout: 120 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic page: 1 per_page: 20 total: 1 schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' description: Indicates a successful call. summary: Get saved queries tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/saved_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create and save a query for later use. operationId: OsqueryCreateSavedQuery requestBody: content: application/json: examples: createSavedQuery: summary: Create a saved query value: description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: my_saved_query interval: '60' platform: linux,darwin query: select * from uptime; timeout: 120 schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' required: true responses: '200': content: application/json: examples: savedQueryCreated: summary: Saved query created value: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: my_saved_query interval: '60' platform: linux,darwin query: select * from uptime; saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c timeout: 120 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' description: Indicates a successful call. summary: Create a saved query tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/saved_queries/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a saved query using the query ID. operationId: OsqueryDeleteSavedQuery parameters: - description: The saved query ID. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: savedQueryDeleted: summary: Saved query deleted (empty response body) value: {} schema: $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' description: Indicates a successful call. summary: Delete a saved query tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of a saved query using the query ID. operationId: OsqueryGetSavedQueryDetails parameters: - description: The saved query ID. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: savedQueryDetails: summary: Saved query details value: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: my_saved_query interval: '60' platform: linux,darwin query: select * from uptime; saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c timeout: 120 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' description: Indicates a successful call. summary: Get saved query details tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | **Spaces method and path for this operation:**
put /s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update a saved query using the query ID. > info > You cannot update a prebuilt saved query. operationId: OsqueryUpdateSavedQuery parameters: - description: The saved query ID. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: examples: updateSavedQuery: summary: Update a saved query value: description: Updated saved query description id: my_saved_query interval: '120' platform: linux,darwin query: select * from osquery_info; timeout: 60 schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' required: true responses: '200': content: application/json: examples: savedQueryUpdated: summary: Saved query updated value: data: description: Updated saved query description id: my_saved_query interval: '120' platform: linux,darwin query: select * from osquery_info; saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c timeout: 60 updated_at: '2025-02-27T10:00:00.000Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' description: Indicates a successful call. summary: Update a saved query tags: - Security Osquery API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/saved_queries/{id}/copy: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). operationId: OsqueryCopySavedQuery parameters: - description: The ID of the saved query to copy. in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: copySavedQueryExample: summary: Example response for copying a saved query value: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: my_saved_query_copy interval: '60' platform: linux,darwin query: select * from uptime; removed: false saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c snapshot: true timeout: 120 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' description: Indicates a successful call. summary: Copy a saved query tags: - Security Osquery API x-state: Generally available; Added in 9.4.0 x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/scheduled_results/{scheduleId}/{executionCount}: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). operationId: OsqueryGetScheduledActionResults parameters: - description: The schedule ID of the scheduled query. in: path name: scheduleId required: true schema: description: The schedule ID of the scheduled query. example: pack_my_pack_uptime type: string - description: The execution count for this scheduled query run. in: path name: executionCount required: true schema: description: The execution count for this scheduled query run. example: 3 type: integer - description: The kuery to filter the results by. in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - description: The page number to return. The default is 1. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - description: The number of results to return per page. The default is 20. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - description: The field that is used to sort the results. in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - description: Specifies the sort order. in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: scheduledActionResultsExample: summary: Example scheduled action results response value: aggregations: failed: 1 pending: 0 successful: 9 totalResponded: 10 totalRowCount: 42 currentPage: 0 edges: - _id: result-001 fields: agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 rows_count: 5 status: success metadata: executionCount: 3 packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d packName: My Pack queryName: uptime queryText: select * from uptime; scheduleId: pack_my_pack_uptime timestamp: '2024-07-26T09:00:00.000Z' pageSize: 20 total: 10 totalPages: 1 schema: $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' description: Indicates a successful call. summary: Get scheduled action results tags: - Security Osquery API x-state: Generally available; Added in 9.4.0 x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: get: description: | **Spaces method and path for this operation:**
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. operationId: OsqueryGetScheduledQueryResults parameters: - description: The schedule ID of the scheduled query. in: path name: scheduleId required: true schema: description: The schedule ID of the scheduled query. example: pack_my_pack_uptime type: string - description: The execution count for this scheduled query run. in: path name: executionCount required: true schema: description: The execution count for this scheduled query run. example: 3 type: integer - description: The kuery to filter the results by. in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - description: The page number to return. The default is 1. in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - description: The number of results to return per page. The default is 20. in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - description: The field that is used to sort the results. in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - description: Specifies the sort order. in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - description: The start date filter (ISO 8601) to narrow down results. in: query name: startDate required: false schema: description: The start date filter (ISO 8601) to narrow down results. example: '2024-01-01T00:00:00Z' type: string responses: '200': content: application/json: examples: scheduledQueryResultsExample: summary: Example scheduled query results response value: data: edges: - _id: row-001 fields: host.uptime: - '12345' - _id: row-002 fields: host.uptime: - '67890' total: 2 schema: $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' description: Indicates a successful call. summary: Get scheduled query results tags: - Security Osquery API x-state: Generally available; Added in 9.4.0 x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/pinned_event: patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/pinned_event
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Pin/unpin an event to/from an existing Timeline. operationId: PersistPinnedEventRoute requestBody: content: application/json: examples: pinEvent: summary: Pin an event value: eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: type: object properties: eventId: description: The `_id` of the associated event for this pinned event. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string pinnedEventId: description: The `savedObjectId` of the pinned event you want to unpin. example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 nullable: true type: string timelineId: description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - eventId - timelineId description: The pinned event to add or unpin, along with additional metadata. required: true responses: '200': content: application/json: examples: pinnedSaved: summary: Pinned event saved object value: eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e version: WzQ2LDFe unpinned: summary: Unpin response value: unpinned: true schema: $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' description: Indicates a successful call. summary: Pin/unpin an event tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/risk_score/engine/dangerously_delete_data: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cleaning up the the Risk Engine by removing the indices, mapping and transforms operationId: CleanUpRiskEngine responses: '200': content: application/json: examples: CleanUpRiskEngineResponse: summary: Successful cleanup response value: cleanup_successful: true schema: type: object properties: cleanup_successful: type: boolean description: Successful response '400': content: application/json: examples: taskManagerUnavailable: summary: Task manager is unavailable value: message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. status_code: 400 schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: examples: cleanupFailed: summary: Cleanup failed value: cleanup_successful: false errors: - error: Risk engine is disabled or deleted already. seq: 1 schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' description: Unexpected error summary: Cleanup the Risk Engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/risk_score/engine/saved_object/configure: patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Configuring the Risk Engine Saved Object operationId: ConfigureRiskEngineSavedObject requestBody: content: application/json: examples: ConfigureRiskEngineSavedObjectRequest: summary: Configure the risk engine saved object value: enable_reset_to_zero: false exclude_alert_statuses: - closed exclude_alert_tags: - low-priority filters: - entity_types: - host - user filter: 'host.name: *' range: end: now start: now-30d schema: type: object properties: enable_reset_to_zero: type: boolean exclude_alert_statuses: items: type: string type: array exclude_alert_tags: items: type: string type: array filters: items: type: object properties: entity_types: items: enum: - host - user - service type: string type: array filter: description: KQL filter string type: string required: - entity_types - filter type: array page_size: description: | Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default). maximum: 10000 minimum: 100 type: integer range: type: object properties: end: type: string start: type: string required: true responses: '200': content: application/json: examples: ConfigureRiskEngineSavedObjectResponse: summary: Successful configuration response value: risk_engine_saved_object_configured: true schema: type: object properties: risk_engine_saved_object_configured: type: boolean description: Successful response '400': content: application/json: examples: taskManagerUnavailable: summary: Task manager is unavailable value: message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. status_code: 400 schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: examples: configureError: summary: Configure saved object failed value: errors: - error: Internal server error seq: 1 risk_engine_saved_object_configured: false schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' description: Unexpected error summary: Configure the Risk Engine Saved Object tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/risk_score/engine/schedule_now: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/risk_score/engine/schedule_now
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. operationId: ScheduleRiskEngineNow requestBody: content: application/json: examples: emptyRequest: summary: No request body value: {} schema: type: object responses: '200': content: application/json: examples: ScheduleRiskEngineNowResponse: summary: Successful schedule response value: success: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' description: Successful response '400': content: application/json: examples: taskManagerUnavailable: summary: Task manager is unavailable value: message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. status_code: 400 schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: examples: scheduleNowError: summary: Schedule now failed value: full_error: '{}' message: Internal server error schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' description: Unexpected error summary: Run the risk scoring engine tags: - Security Entity Analytics API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/saved_objects/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. operationId: post-saved-objects-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: exportSavedObjectsRequest: summary: Export a specific saved object value: excludeExportDetails: true includeReferencesDeep: false objects: - id: example-dashboard-1 type: dashboard schema: additionalProperties: false type: object properties: excludeExportDetails: default: false description: Do not add export details entry at the end of the stream. type: boolean hasReference: anyOf: - additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id - items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id maxItems: 100 type: array includeReferencesDeep: default: false description: Includes all of the referenced objects in the exported objects. type: boolean objects: description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id maxItems: 10000 type: array search: description: Search for documents to export using the Elasticsearch Simple Query String syntax. type: string type: anyOf: - type: string - items: type: string maxItems: 100 type: array description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. responses: '200': content: application/x-ndjson: examples: exportSavedObjectsResponse: summary: The export response contains an NDJSON record for each exported object value: | {"id":"example-dashboard-1","type":"dashboard","attributes":{"title":"Example dashboard 1"},"references":[],"managed":false} {"exportedCount":1,"missingRefCount":0,"missingReferences":[]} schema: {} description: Indicates a successfull call. '400': content: application/json: examples: badRequestResponse: summary: A bad request error value: error: Bad Request message: 'Either `type` or `objects` are required.: Bad Request' statusCode: 400 schema: additionalProperties: false description: Indicates an unsuccessful response. type: object properties: error: type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode description: Bad request. summary: Export saved objects tags: - saved objects x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/saved_objects/_export" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true}' - lang: Console source: | POST kbn://api/saved_objects/_export {"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true} x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/saved_objects/_import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. operationId: post-saved-objects-import parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' in: query name: overwrite required: false schema: default: false type: boolean - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' in: query name: createNewCopies required: false schema: default: false type: boolean - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' in: query name: compatibilityMode required: false schema: default: false type: boolean requestBody: content: multipart/form-data: examples: importObjectsRequest: summary: Import saved objects from an NDJSON file value: file: file.ndjson schema: additionalProperties: false type: object properties: file: description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' type: object required: - file responses: '200': content: application/json: examples: importObjectsResponse: summary: A successful import response value: errors: [] success: true successCount: 1 successResults: - destinationId: example-dashboard-1-copy id: example-dashboard-1 managed: false type: dashboard schema: additionalProperties: false type: object properties: errors: description: |- Indicates the import was unsuccessful and specifies the objects that failed to import. NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. items: additionalProperties: true type: object properties: {} type: array success: description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. type: boolean successCount: description: Indicates the number of successfully imported records. type: number successResults: description: |- Indicates the objects that are successfully imported, with any metadata if applicable. NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. items: additionalProperties: true type: object properties: {} type: array required: - success - successCount - errors - successResults description: Indicates a successful call. '400': content: application/json: examples: badRequestResponse: summary: A bad request error value: error: Bad Request message: Invalid file extension .txt statusCode: 400 schema: additionalProperties: false description: Indicates an unsuccessful response. type: object properties: error: type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode description: Bad request. summary: Import saved objects tags: - saved objects x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/saved_objects/_import?createNewCopies=true" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ --form file=@file.ndjson - lang: Console source: | POST kbn://api/saved_objects/_import?createNewCopies=true x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/saved_objects/_resolve_import_errors: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/saved_objects/_resolve_import_errors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. To resolve errors from the import objects API, you can retry certain saved objects, overwrite specific saved objects, and change references to different saved objects operationId: post-saved-objects-resolve-import-errors parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Creates copies of saved objects, regenerates each object ID, and resets the origin. in: query name: createNewCopies required: false schema: default: false type: boolean - description: Applies adjustments to maintain compatibility between different Kibana versions. in: query name: compatibilityMode required: false schema: default: false type: boolean requestBody: content: multipart/form-data: examples: resolveImportErrorsRequest: summary: Resolve import errors by retrying objects value: file: file.ndjson retries: - id: example-dashboard-1 overwrite: true replaceReferences: [] type: dashboard schema: additionalProperties: false type: object properties: file: type: object retries: items: additionalProperties: false type: object properties: createNewCopy: type: boolean destinationId: type: string id: type: string ignoreMissingReferences: type: boolean overwrite: default: false type: boolean replaceReferences: default: [] items: additionalProperties: false type: object properties: from: type: string to: type: string type: type: string required: - type - from - to maxItems: 100 type: array type: type: string required: - type - id maxItems: 10000 type: array required: - file - retries responses: '200': content: application/json: examples: resolveImportErrorsResponse: summary: A successful resolve import errors response value: errors: [] success: true successCount: 1 successResults: - id: example-dashboard-1 managed: false type: dashboard description: A successful resolve import errors response. '400': content: application/json: examples: badRequestResponse: summary: A bad request error value: error: Bad Request message: Invalid file extension .txt statusCode: 400 description: A bad request. summary: Resolve import errors tags: - saved objects x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/saved_objects/_resolve_import_errors" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ --form file=@file.ndjson \ --form retries='[{"type":"dashboard","id":"example-dashboard-1","overwrite":true,"replaceReferences":[]}]' - lang: Console source: | POST kbn://api/saved_objects/_resolve_import_errors x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/anonymization_fields/_bulk_action: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. operationId: PerformAnonymizationFieldsBulkAction requestBody: content: application/json: examples: PerformAnonymizationFieldsBulkActionRequest: value: create: - allowed: true anonymized: false field: host.name - allowed: false anonymized: true field: user.name delete: ids: - field5 - field6 query: 'field: host.name' update: - allowed: true anonymized: false id: field8 - allowed: false anonymized: true id: field9 schema: example: create: - allowed: true anonymized: false field: host.name - allowed: false anonymized: true field: user.name delete: ids: - field5 - field6 query: 'field: host.name' update: - allowed: true anonymized: false id: field8 - allowed: false anonymized: true id: field9 type: object properties: create: description: Array of anonymization fields to create. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' type: array delete: description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. type: object properties: ids: description: Array of IDs to apply the action to. example: - '1234' - '5678' items: type: string minItems: 1 type: array query: description: Query to filter the bulk action. example: 'status: ''inactive''' type: string update: description: Array of anonymization fields to update. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' type: array responses: '200': content: application/json: examples: PerformAnonymizationFieldsBulkActionResponse200Example: value: anonymization_fields_count: 4 attributes: results: created: - allowed: false anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: host.name id: field2 namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 deleted: - field3 skipped: - id: field4 name: user.name skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED updated: - allowed: true anonymized: false createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: url.domain id: field8 namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 summary: failed: 0 skipped: 1 succeeded: 3 total: 4 message: Bulk action completed successfully status_code: 200 success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' description: Indicates a successful call. '400': content: application/json: examples: PerformAnonymizationFieldsBulkActionResponse400Example: value: error: Bad Request message: Invalid request body statusCode: 400 schema: type: object properties: error: description: Error type or name. type: string message: description: Detailed error message. type: string statusCode: description: Status code of the response. type: number description: Bad Request response. summary: Apply a bulk action to anonymization fields tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/anonymization_fields/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all anonymization fields. operationId: FindAnonymizationFields parameters: - description: Fields to return example: - id - field - anonymized - allowed in: query name: fields required: false schema: items: type: string type: array - description: Search query example: 'field: "user.name"' in: query name: filter required: false schema: type: string - description: Field to sort by example: created_at in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' - description: Sort order example: asc in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number example: 1 in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: AnonymizationFields per page example: 20 in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page in: query name: all_data required: false schema: type: boolean responses: '200': content: application/json: examples: FindAnonymizationFieldsResponse200Example: value: aggregations: field_status: buckets: allowed: doc_count: 1 anonymized: doc_count: 1 denied: doc_count: 1 all: - allowed: true anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: user.name id: '1' namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 data: - allowed: true anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: user.name id: '1' namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 page: 1 perPage: 20 total: 100 schema: type: object properties: aggregations: type: object properties: field_status: type: object properties: buckets: type: object properties: allowed: type: object properties: doc_count: default: 0 type: integer anonymized: type: object properties: doc_count: default: 0 type: integer denied: type: object properties: doc_count: default: 0 type: integer all: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array data: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: Indicates a successful call. '400': content: application/json: examples: FindAnonymizationFieldsResponse400Example: value: error: Bad Request message: Invalid request parameters statusCode: 400 schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Bad Request response. summary: Get anonymization fields tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/chat/complete: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/chat/complete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a model response for the given chat conversation. operationId: ChatComplete parameters: - description: If true, the response will not include content references. example: false in: query name: content_references_disabled required: false schema: default: false type: boolean requestBody: content: application/json: examples: ChatCompleteRequest: value: connectorId: conn-001 conversationId: abc123 isStream: true langSmithApiKey: langSmithProject: security_ai_project messages: - content: What are some common phishing techniques? data: user_id: user_789 fields_to_anonymize: - user.name - source.ip role: user model: gpt-4 persist: true promptId: prompt_456 responseLanguage: en schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' required: true responses: '200': content: application/octet-stream: examples: ChatCompleteResponse200Example: value: (streaming binary response) schema: format: binary type: string description: Indicates a successful model response call. '400': content: application/json: examples: ChatCompleteResponse400Example: value: error: Bad Request message: Invalid request payload. statusCode: 400 schema: type: object properties: error: description: Error type. example: Bad Request type: string message: description: Human-readable error message. example: Invalid request payload. type: string statusCode: description: HTTP status code. example: 400 type: number description: Bad Request response. summary: Create a model response tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/current_user/conversations: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. This endpoint allows users to permanently delete all conversations. operationId: DeleteAllConversations requestBody: content: application/json: examples: DeleteAllConversationsRequest: value: excludedIds: - abc123 - def456 schema: type: object properties: excludedIds: description: Optional list of conversation IDs to delete. example: - abc123 - def456 items: type: string type: array required: false responses: '200': content: application/json: examples: DeleteAllConversationsResponse200Example: value: failures: [] success: true totalDeleted: 10 schema: type: object properties: failures: items: type: string type: array success: example: true type: boolean totalDeleted: example: 10 type: number description: Indicates a successful call. The conversations were deleted successfully. '400': content: application/json: examples: DeleteAllConversationsResponse400Example: value: error: Bad Request message: Invalid conversation ID statusCode: 400 schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Bad Request response. summary: Delete conversations tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"excludedIds":["abc123"]}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. operationId: CreateConversation requestBody: content: application/json: examples: CreateConversationRequest: value: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant excludeFromLastConversationStorage: false messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' replacements: {} title: Security Discussion schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' required: true responses: '200': content: application/json: examples: CreateConversationResponse200Example: value: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' createdBy: id: user1 name: John Doe excludeFromLastConversationStorage: false id: abc123 messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' namespace: default replacements: {} title: Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was created successfully. '400': content: application/json: examples: CreateConversationResponse400Example: value: error: Bad Request message: 'Missing required parameter: title' statusCode: 400 schema: type: object properties: error: example: Bad Request type: string message: example: 'Missing required parameter: title' type: string statusCode: example: 400 type: number description: Bad Request response. summary: Create a conversation tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/current_user/conversations/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. operationId: FindConversations parameters: - description: A list of fields to include in the response. If omitted, all fields are returned. in: query name: fields required: false schema: example: - id - title - createdAt items: type: string type: array - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. in: query name: filter required: false schema: example: Security Issue type: string - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' example: created_at - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: desc - description: The page number of the results to retrieve. Default is 1. in: query name: page required: false schema: default: 1 example: 1 minimum: 1 type: integer - description: The number of conversations to return per page. Default is 20. in: query name: per_page required: false schema: default: 20 example: 20 minimum: 0 type: integer - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. in: query name: is_owner required: false schema: default: false example: true type: boolean responses: '200': content: application/json: examples: FindConversationsResponse200Example: value: data: - category: assistant createdAt: '2023-10-31T12:00:00Z' createdBy: id: user1 name: John Doe excludeFromLastConversationStorage: false id: conv-abc123 messages: [] namespace: default replacements: {} title: Security Discussion updatedAt: '2023-10-31T12:05:00Z' users: - id: user1 name: John Doe page: 1 perPage: 20 total: 5 schema: type: object properties: data: description: A list of conversations. items: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' type: array page: description: The current page of the results. example: 1 type: integer perPage: description: The number of results returned per page. example: 20 type: integer total: description: The total number of conversations matching the filter criteria. example: 100 type: integer required: - page - perPage - total - data description: Successful response, returns a paginated list of conversations matching the specified criteria. '400': content: application/json: examples: FindConversationsResponse400Example: value: error: Bad Request message: Invalid filter parameter. statusCode: 400 schema: type: object properties: error: example: Bad Request type: string message: example: Invalid filter query parameter type: string statusCode: example: 400 type: number description: Bad Request response. summary: Get conversations tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/current_user/conversations/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. operationId: DeleteConversation parameters: - description: The conversation's `id` value. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: DeleteConversationResponse200Example: value: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' createdBy: id: user1 name: John Doe excludeFromLastConversationStorage: false id: abc123 messages: - content: The conversation has been deleted. role: system timestamp: '2023-10-31T12:35:00Z' namespace: default replacements: {} title: Deleted Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was deleted successfully. '400': content: application/json: examples: DeleteConversationResponse400Example: value: error: Bad Request message: Invalid conversation ID statusCode: 400 schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Bad Request response. summary: Delete a conversation tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. operationId: ReadConversation parameters: - description: The conversation's `id` value, a unique identifier for the conversation. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: ReadConversationResponse200Example: value: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' createdBy: id: user1 name: John Doe excludeFromLastConversationStorage: false id: abc123 messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' namespace: default replacements: {} title: Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation details are returned. '400': content: application/json: examples: ReadConversationResponse400Example: value: error: Bad Request message: Invalid conversation ID statusCode: 400 schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Bad Request response. summary: Get a conversation tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. operationId: UpdateConversation parameters: - description: The conversation's `id` value. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: examples: UpdateConversationRequest: value: apiConfig: actionTypeId: '09876' connectorId: '54321' category: insights excludeFromLastConversationStorage: true messages: - content: The issue was resolved. role: assistant timestamp: '2023-10-31T12:30:00Z' replacements: {} title: Updated Security Discussion schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' required: true responses: '200': content: application/json: examples: UpdateConversationResponse200Example: value: apiConfig: actionTypeId: '09876' connectorId: '54321' category: insights createdAt: '2023-10-31T12:01:00Z' createdBy: id: user1 name: John Doe excludeFromLastConversationStorage: true id: abc123 messages: - content: The issue was resolved. role: assistant timestamp: '2023-10-31T12:30:00Z' namespace: default replacements: {} title: Updated Security Discussion updatedAt: '2023-10-31T12:31:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was updated successfully. '400': content: application/json: examples: UpdateConversationResponse400Example: value: error: Bad Request message: 'Missing required field: title' statusCode: 400 schema: type: object properties: error: example: Bad Request type: string message: example: 'Missing required field: title' type: string statusCode: example: 400 type: number description: Bad Request response. summary: Update a conversation tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/knowledge_base: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Read a single KB operationId: GetKnowledgeBase responses: '200': content: application/json: examples: KnowledgeBaseReadResponse200Example2: summary: A response that returns information about the knowledge base. value: defend_insights_exists: true elser_exists: false is_setup_available: true is_setup_in_progress: true product_documentation_status: installed security_labs_exists: false user_data_exists: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' description: Indicates a successful call. '400': content: application/json: examples: GetKnowledgeBaseResponse400Example: value: error: Bad Request message: Invalid resource ID provided. statusCode: 400 schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Bad Request response. summary: Read a KnowledgeBase tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a knowledge base. Use this endpoint when no specific resource identifier is needed. operationId: PostKnowledgeBase parameters: - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. example: elser-model-001 in: query name: modelId required: false schema: type: string - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. example: true in: query name: ignoreSecurityLabs required: false schema: default: false type: boolean responses: '200': content: application/json: examples: KnowledgeBaseResponse200Example2: summary: A response that indicates that the request was successful. value: success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' description: Indicates a successful call. '400': content: application/json: examples: KnowledgeBaseResponse400Example2: summary: A response for a request that failed due to an invalid query parameter value. value: | statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Bad Request response. summary: Create a KnowledgeBase tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/knowledge_base/{resource}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Read a knowledge base with a specific resource identifier. operationId: ReadKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. example: kb12345 in: path name: resource required: true schema: type: string responses: '200': content: application/json: examples: KnowledgeBaseReadResponse200Example1: summary: A response that returns information about the knowledge base. value: defend_insights_exists: true elser_exists: false is_setup_available: true is_setup_in_progress: true product_documentation_status: installed security_labs_exists: false user_data_exists: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' description: Indicates a successful call. '400': content: application/json: examples: ReadKnowledgeBaseResponse400Example: value: error: Bad Request message: Invalid resource ID provided. statusCode: 400 schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Bad Request response. summary: Read a KnowledgeBase for a resource tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a knowledge base with a specific resource identifier. operationId: CreateKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. example: kb12345 in: path name: resource required: true schema: type: string - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. example: elser-model-001 in: query name: modelId required: false schema: type: string - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. example: true in: query name: ignoreSecurityLabs required: false schema: default: false type: boolean responses: '200': content: application/json: examples: KnowledgeBaseResponse200Example1: summary: A response that indicates that the request was successful. value: success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' description: Indicates a successful call. '400': content: application/json: examples: KnowledgeBaseResponse400Example1: summary: A response for a request that failed due to an invalid query parameter value. value: | statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' description: Bad Request response. summary: Create a KnowledgeBase for a resource tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/knowledge_base/entries: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a Knowledge Base Entry operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: examples: CreateKnowledgeBaseEntryRequest: value: kbResource: user name: How to reset a password source: manual text: To reset your password, go to the settings page and click 'Reset Password'. type: document schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' required: true responses: '200': content: application/json: examples: CreateKnowledgeBaseEntryResponse200Example: value: createdAt: '2024-01-15T10:00:00.000Z' createdBy: user@example.com global: false id: '12345' kbResource: user name: How to reset a password namespace: default source: manual text: To reset your password, go to the settings page and click 'Reset Password'. type: document updatedAt: '2024-01-15T10:00:00.000Z' updatedBy: user@example.com schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning Knowledge Base Entries '400': content: application/json: examples: CreateKnowledgeBaseEntryResponse400Example: value: error: Invalid input message: The 'name' field is required. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Bad Request response. summary: Create a Knowledge Base Entry tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/knowledge_base/entries/_bulk_action: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. operationId: PerformKnowledgeBaseEntryBulkAction requestBody: content: application/json: examples: PerformKnowledgeBaseEntryBulkActionRequest: value: create: - kbResource: user name: New Entry source: manual text: This is the content of the new entry. type: document delete: ids: - '789' update: - id: '123' kbResource: user name: Updated Entry source: manual text: Updated content. type: document schema: type: object properties: create: description: List of Knowledge Base Entries to create. example: - kbResource: user name: New Entry source: manual text: This is the content of the new entry. type: document items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' type: array delete: type: object properties: ids: description: Array of Knowledge Base Entry IDs. example: - '123' - '456' - '789' items: type: string minItems: 1 type: array query: description: Query to filter Knowledge Base Entries. example: status:active AND category:technology type: string update: description: List of Knowledge Base Entries to update. example: - id: '123' kbResource: user name: Updated Entry source: manual text: Updated content. type: document items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' type: array responses: '200': content: application/json: examples: PerformKnowledgeBaseEntryBulkActionResponse200Example: value: attributes: results: created: - createdAt: '2024-01-15T10:00:00.000Z' createdBy: user@example.com global: false id: '456' kbResource: user name: New Entry namespace: default source: manual text: This is the content of the new entry. type: document updatedAt: '2024-01-15T10:00:00.000Z' updatedBy: user@example.com deleted: - '789' skipped: [] updated: - createdAt: '2024-01-14T09:00:00.000Z' createdBy: user@example.com global: false id: '123' kbResource: user name: Updated Entry namespace: default source: manual text: Updated content. type: document updatedAt: '2024-01-15T10:00:00.000Z' updatedBy: user@example.com summary: failed: 0 skipped: 0 succeeded: 3 total: 3 knowledgeBaseEntriesCount: 3 message: Bulk action completed successfully. statusCode: 200 success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' description: Successful bulk operation request '400': content: application/json: examples: PerformKnowledgeBaseEntryBulkActionResponse400Example: value: error: Bad Request message: Invalid request body. statusCode: 400 schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Bad Request response. summary: Applies a bulk action to multiple Knowledge Base Entries tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/knowledge_base/entries/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Finds Knowledge Base Entries that match the given query. operationId: FindKnowledgeBaseEntries parameters: - description: A list of fields to include in the response. If not provided, all fields will be included. in: query name: fields required: false schema: example: - name - created_at items: type: string type: array - description: Search query to filter Knowledge Base Entries by specific criteria. in: query name: filter required: false schema: example: error handling type: string - description: Field to sort the Knowledge Base Entries by. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' example: created_at - description: Sort order for the results, either asc or desc. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: asc - description: Page number for paginated results. Defaults to 1. in: query name: page required: false schema: default: 1 example: 2 minimum: 1 type: integer - description: Number of Knowledge Base Entries to return per page. Defaults to 20. in: query name: per_page required: false schema: default: 20 example: 10 minimum: 0 type: integer responses: '200': content: application/json: examples: FindKnowledgeBaseEntriesResponse200Example: value: data: - createdAt: '2024-01-15T10:00:00.000Z' createdBy: user@example.com global: false id: '12345' kbResource: user name: How to reset a password namespace: default source: manual text: To reset your password, go to the settings page and click 'Reset Password'. type: document updatedAt: '2024-01-15T10:00:00.000Z' updatedBy: user@example.com page: 1 perPage: 20 total: 100 schema: type: object properties: data: description: The list of Knowledge Base Entries for the current page. items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array page: description: The current page number. example: 1 type: integer perPage: description: The number of Knowledge Base Entries returned per page. example: 20 type: integer total: description: The total number of Knowledge Base Entries available. example: 100 type: integer required: - page - perPage - total - data description: Successful response containing the paginated Knowledge Base Entries. '400': content: application/json: examples: FindKnowledgeBaseEntriesResponse400Example: value: error: Bad Request message: 'Invalid query parameter: sort_order' statusCode: 400 schema: type: object properties: error: description: A short description of the error. example: Bad Request type: string message: description: A detailed message explaining the error. example: 'Invalid query parameter: sort_order' type: string statusCode: description: The HTTP status code of the error. example: 400 type: number description: Bad Request response. summary: Finds Knowledge Base Entries that match the given query. tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/knowledge_base/entries/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a Knowledge Base Entry by its unique `id`. operationId: DeleteKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: DeleteKnowledgeBaseEntryResponse200Example: value: id: '12345' message: Knowledge Base Entry successfully deleted. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' description: Successful request returning the `id` of the deleted Knowledge Base Entry. '400': content: application/json: examples: DeleteKnowledgeBaseEntryResponse400Example: value: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Bad Request response. summary: Deletes a single Knowledge Base Entry using the `id` field tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a Knowledge Base Entry by its unique `id`. operationId: ReadKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: ReadKnowledgeBaseEntryResponse200Example: value: createdAt: '2024-01-15T10:00:00.000Z' createdBy: user@example.com global: false id: '12345' kbResource: user name: How to reset a password namespace: default source: manual text: To reset your password, go to the settings page and click 'Reset Password'. type: document updatedAt: '2024-01-15T10:00:00.000Z' updatedBy: user@example.com schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning the requested Knowledge Base Entry. '400': content: application/json: examples: ReadKnowledgeBaseEntryResponse400Example: value: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Bad Request response. summary: Read a Knowledge Base Entry tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing Knowledge Base Entry by its unique `id`. operationId: UpdateKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to update. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: examples: UpdateKnowledgeBaseEntryRequest: value: kbResource: user name: How to reset a password (updated) source: manual text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' type: document schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' required: true responses: '200': content: application/json: examples: UpdateKnowledgeBaseEntryResponse200Example: value: createdAt: '2024-01-15T10:00:00.000Z' createdBy: user@example.com global: false id: '12345' kbResource: user name: How to reset a password (updated) namespace: default source: manual text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' type: document updatedAt: '2024-01-15T10:05:00.000Z' updatedBy: user@example.com schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning the updated Knowledge Base Entry. '400': content: application/json: examples: UpdateKnowledgeBaseEntryResponse400Example: value: error: Invalid input message: The 'text' field cannot be empty. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Bad Request response. summary: Update a Knowledge Base Entry tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/prompts/_bulk_action: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. operationId: PerformPromptsBulkAction requestBody: content: application/json: examples: PerformPromptsBulkActionRequest: value: create: - content: Please verify the security settings. name: New Security Prompt promptType: system delete: ids: - prompt1 - prompt2 update: - content: Updated content for security prompt. id: prompt123 schema: type: object properties: create: description: List of prompts to be created. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' type: array delete: description: Criteria for deleting prompts in bulk. type: object properties: ids: description: Array of IDs to apply the action to. example: - '1234' - '5678' items: type: string minItems: 1 type: array query: description: Query to filter the bulk action. example: 'status: ''inactive''' type: string update: description: List of prompts to be updated. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' type: array responses: '200': content: application/json: examples: success: value: attributes: errors: [] results: created: - content: Please verify the security settings. id: prompt6 name: New Security Prompt promptType: system deleted: - prompt2 - prompt3 skipped: - id: prompt4 name: Security Prompt skip_reason: PROMPT_FIELD_NOT_MODIFIED updated: - content: Updated security settings prompt id: prompt1 name: Security Prompt promptType: system summary: failed: 0 skipped: 1 succeeded: 4 total: 5 message: Bulk action completed successfully. prompts_count: 5 status_code: 200 success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' description: Indicates a successful call with the results of the bulk action. '400': content: application/json: examples: PerformPromptsBulkActionResponse400Example: value: error: Bad Request message: Invalid prompt ID or missing required fields. statusCode: 400 schema: type: object properties: error: description: A short error message. example: Bad Request type: string message: description: A detailed error message. example: Invalid prompt ID or missing required fields. type: string statusCode: description: The HTTP status code for the error. example: 400 type: number description: Bad Request response. summary: Apply a bulk action to prompts tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"delete":{"query":"name: test","ids":[]}}' x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security_ai_assistant/prompts/_find: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security_ai_assistant/prompts/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all prompts based on optional filters, sorting, and pagination. operationId: FindPrompts parameters: - description: List of specific fields to include in each returned prompt. in: query name: fields required: false schema: example: - id - name - content items: type: string type: array - description: Search query string to filter prompts by matching fields. in: query name: filter required: false schema: example: error handling type: string - description: Field to sort prompts by. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' - description: Sort order, either asc or desc. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number for pagination. in: query name: page required: false schema: default: 1 example: 1 minimum: 1 type: integer - description: Number of prompts per page. in: query name: per_page required: false schema: default: 20 example: 20 minimum: 0 type: integer responses: '200': content: application/json: examples: FindPromptsResponse200Example: value: data: - categories: - troubleshooting - logging color: '#FF5733' consumer: security content: If you encounter an error, check the logs and retry. createdAt: '2025-04-20T21:00:00Z' createdBy: jdoe id: prompt-123 isDefault: true isNewConversationDefault: false name: Error Troubleshooting Prompt namespace: default promptType: standard timestamp: '2025-04-30T22:30:00Z' updatedAt: '2025-04-30T22:45:00Z' updatedBy: jdoe users: - full_name: John Doe username: jdoe page: 1 perPage: 20 total: 142 schema: example: data: - categories: - troubleshooting - logging color: '#FF5733' consumer: security content: If you encounter an error, check the logs and retry. createdAt: '2025-04-20T21:00:00Z' createdBy: jdoe id: prompt-123 isDefault: true isNewConversationDefault: false name: Error Troubleshooting Prompt namespace: default promptType: standard timestamp: '2025-04-30T22:30:00Z' updatedAt: '2025-04-30T22:45:00Z' updatedBy: jdoe users: - full_name: John Doe username: jdoe page: 1 perPage: 20 total: 142 type: object properties: data: description: The list of prompts returned based on the search query, sorting, and pagination. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array page: description: Current page number. example: 1 type: integer perPage: description: Number of prompts per page. example: 20 type: integer total: description: Total number of prompts matching the query. example: 142 type: integer required: - page - perPage - total - data description: Successful response containing a list of prompts. '400': content: application/json: examples: FindPromptsResponse400Example: value: error: Bad Request message: Invalid sort order value provided. statusCode: 400 schema: type: object properties: error: description: Short error message. example: Bad Request type: string message: description: Detailed description of the error. example: Invalid sort order value provided. type: string statusCode: description: HTTP status code for the error. example: 400 type: number description: Bad request due to invalid parameters or malformed query. summary: Get prompts tags: - Security AI Assistant API x-codeSamples: - label: Example request lang: curl source: | curl \ --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ --header "Authorization: $API_KEY" x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: updateLogExtractionExample: description: Update the log extraction configuration with a new lookback period and frequency. summary: Update log extraction settings value: logExtraction: fieldHistoryLength: 15 frequency: 10m lookbackPeriod: 6h schema: additionalProperties: false type: object properties: logExtraction: additionalProperties: false type: object properties: additionalIndexPatterns: items: type: string type: array delay: pattern: '[smdh]$' type: string docsLimit: maximum: 9007199254740991 minimum: 1 type: integer excludedIndexPatterns: items: type: string type: array fieldHistoryLength: maximum: 9007199254740991 minimum: -9007199254740991 type: integer frequency: pattern: '[smdh]$' type: string lookbackPeriod: pattern: '[smdh]$' type: string maxLogsPerPage: maximum: 9007199254740991 minimum: 1 type: integer maxTimeWindowSize: pattern: '[smdh]$' type: string required: - logExtraction responses: '200': content: application/json: examples: updateSuccessExample: description: The Entity Store configuration was successfully updated. summary: Entity Store updated value: ok: true description: Indicates a successful response. '400': content: application/json: examples: invalidDurationExample: description: A log extraction parameter has an invalid duration format. summary: Invalid duration parameter value: error: Bad Request message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: The Entity Store has not been installed yet. summary: Entity Store not installed value: error: Not Found message: Entity store is not installed statusCode: 404 description: Entity Store not found. summary: Update the Entity Store tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ "${KIBANA_URL}/api/security/entity_store" - lang: Console source: | PUT kbn://api/security/entity_store { "logExtraction": { "lookbackPeriod": "6h", "frequency": "10m", "fieldHistoryLength": 15 } } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/entities: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security/entity_store/entities
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-entities parameters: - description: A Kibana Query Language (KQL) filter for the search-after mode. in: query name: filter required: false schema: type: string - description: Number of entities to return in search-after mode. in: query name: size required: false schema: maximum: 9007199254740991 minimum: 1 type: integer - description: JSON-encoded search_after value for cursor-based pagination. in: query name: searchAfter required: false schema: type: string - description: Fields to include in the response source. in: query name: source required: false schema: items: type: string type: array - description: Fields to include in the response. in: query name: fields required: false schema: items: type: string type: array - description: Field to sort results by in page mode. in: query name: sort_field required: false schema: type: string - description: Sort order in page mode. in: query name: sort_order required: false schema: enum: - asc - desc type: string - description: Page number to return (1-indexed) in page mode. in: query name: page required: false schema: maximum: 9007199254740991 minimum: 1 type: integer - description: Number of entities per page in page mode. in: query name: per_page required: false schema: maximum: 10000 minimum: 1 type: integer - description: An Elasticsearch query string to filter entities in page mode. in: query name: filterQuery required: false schema: type: string - description: Entity types to include in the results. in: query name: entity_types required: false schema: items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: emptyResultExample: description: No entities matched the query. summary: Empty result value: page: 1 per_page: 10 records: [] total: 0 pageModeExample: description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. summary: Page mode response with host entities value: inspect: dsl: - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' response: - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' page: 1 per_page: 10 records: - '@timestamp': '2026-04-10T08:30:00.000Z' asset: criticality: high_impact environment: production entity: attributes: asset: true managed: true id: host:web-server-prod-01 lifecycle: first_seen: '2026-01-15T10:00:00.000Z' last_activity: '2026-04-10T08:30:00.000Z' name: web-server-prod-01 risk: calculated_level: Moderate calculated_score: 47.5 calculated_score_norm: 47.5 source: - logs type: host host: hostname: - web-server-prod-01.example.com ip: - 10.0.1.42 name: web-server-prod-01 os: name: Ubuntu type: linux total: 1 searchAfterModeExample: description: A cursor-based response with entities and a search_after token for the next page. summary: Search-after mode response value: entities: - '@timestamp': '2026-04-10T08:30:00.000Z' entity: id: user:jane.doe@example.com name: jane.doe type: user user: email: - jane.doe@example.com name: jane.doe nextSearchAfter: - 1712736600000 - 1 description: Indicates a successful response. '400': content: application/json: examples: invalidFilterExample: description: The provided Kibana Query Language filter could not be parsed. summary: Invalid filter value: error: Bad Request message: |- Invalid filter: Expected "(", "{", value, whitespace but ":" found. invalid :: query ---------^ statusCode: 400 mixedModesExample: description: Cannot combine page-based pagination with cursor-based pagination in the same request. summary: Mixed pagination modes value: error: Bad Request message: '[request query]: Cannot combine page/per_page with searchAfter' statusCode: 400 description: Bad request. summary: List entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" - lang: Console source: | GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/entities/: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/security/entity_store/entities/
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. operationId: delete-security-entity-store-entities parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: deleteEntityExample: description: Delete a single entity from the Entity Store using its entity identifier. summary: Delete an entity by identifier value: entityId: host:web-server-prod-01 schema: additionalProperties: false type: object properties: entityId: description: The identifier of the entity to delete. type: string required: - entityId responses: '200': content: application/json: examples: deleteSuccessExample: description: The entity was found and successfully removed from the latest index. summary: Entity deleted value: deleted: true description: Indicates the entity was successfully deleted. '404': content: application/json: examples: notFoundExample: description: No entity with the specified identifier exists in the Entity Store. summary: Entity not found value: error: Not Found message: Entity ID 'host:web-server-prod-01' not found statusCode: 404 description: Entity not found. summary: Delete an entity tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityId":"host:web-server-prod-01"}' \ "${KIBANA_URL}/api/security/entity_store/entities/" - lang: Console source: | DELETE kbn://api/security/entity_store/entities/ { "entityId": "host:web-server-prod-01" } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/entities/{entityType}: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/entities/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. operationId: post-security-entity-store-entities-entitytype parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The entity type to create. in: path name: entityType required: true schema: enum: - user - host - service - generic type: string requestBody: content: application/json: examples: createHostEntityExample: description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. summary: Create a host entity value: asset: business_unit: Engineering criticality: high_impact environment: production entity: attributes: asset: true managed: true id: host:web-server-prod-01 name: web-server-prod-01 source: - manual type: host host: hostname: - web-server-prod-01.example.com ip: - 10.0.1.42 name: web-server-prod-01 schema: anyOf: - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array user: additionalProperties: false type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number roles: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string host: additionalProperties: false type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string os: additionalProperties: false type: object properties: family: type: string full: type: string kernel: type: string name: anyOf: - type: string - items: type: string type: array platform: type: string type: anyOf: - type: string - items: type: string type: array version: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number type: items: type: string type: array labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} service: additionalProperties: false type: object properties: address: type: string environment: type: string ephemeral_id: type: string id: type: string name: type: string node: additionalProperties: false type: object properties: name: type: string role: type: string roles: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number state: type: string type: type: string version: type: string tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string cloud: additionalProperties: false type: object properties: account: additionalProperties: false type: object properties: id: type: string name: type: string availability_zone: type: string instance: additionalProperties: false type: object properties: id: type: string name: type: string machine: additionalProperties: false type: object properties: type: type: string project: additionalProperties: false type: object properties: id: type: string name: type: string provider: type: string region: type: string service: additionalProperties: false type: object properties: name: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} orchestrator: additionalProperties: false type: object properties: api_version: type: string cluster: additionalProperties: false type: object properties: id: type: string name: type: string url: type: string version: type: string namespace: type: string organization: type: string resource: additionalProperties: false type: object properties: annotation: type: string id: type: string ip: type: string label: type: string name: type: string parent: additionalProperties: false type: object properties: type: type: string type: type: string type: type: string tags: items: type: string type: array responses: '200': content: application/json: examples: createSuccessExample: description: The entity record was successfully created in the Entity Store. summary: Entity created value: ok: true description: Indicates the entity was successfully created. '400': content: application/json: examples: euidMismatchExample: description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. summary: Entity identifier mismatch value: error: Bad Request message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' statusCode: 400 description: Bad request. '409': content: application/json: examples: conflictExample: description: An entity with the specified identifier already exists. summary: Entity already exists value: error: Conflict message: Entity ID 'host:web-server-prod-01' already exists statusCode: 409 description: Conflict. summary: Create an entity tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ "${KIBANA_URL}/api/security/entity_store/entities/host" - lang: Console source: | POST kbn://api/security/entity_store/entities/host { "entity": { "id": "host:web-server-prod-01", "name": "web-server-prod-01", "type": "host", "source": ["manual"], "attributes": { "asset": true } }, "host": { "name": "web-server-prod-01", "ip": ["10.0.1.42"] } } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/entities/{entityType}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-entities-entitytype parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The entity type to update. in: path name: entityType required: true schema: enum: - user - host - service - generic type: string - description: When true, allows updating protected fields. in: query name: force required: false schema: anyOf: - enum: - 'true' - 'false' type: string - type: boolean default: false requestBody: content: application/json: examples: updateEntityAttributesExample: description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. summary: Update entity attributes value: entity: attributes: managed: true mfa_enabled: true id: user:jane.doe@example.com lifecycle: last_activity: '2026-04-10T14:30:00.000Z' name: jane.doe type: user user: email: - jane.doe@example.com name: jane.doe roles: - admin - analyst schema: anyOf: - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array user: additionalProperties: false type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number roles: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string host: additionalProperties: false type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string os: additionalProperties: false type: object properties: family: type: string full: type: string kernel: type: string name: anyOf: - type: string - items: type: string type: array platform: type: string type: anyOf: - type: string - items: type: string type: array version: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number type: items: type: string type: array labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} service: additionalProperties: false type: object properties: address: type: string environment: type: string ephemeral_id: type: string id: type: string name: type: string node: additionalProperties: false type: object properties: name: type: string role: type: string roles: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number state: type: string type: type: string version: type: string tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string cloud: additionalProperties: false type: object properties: account: additionalProperties: false type: object properties: id: type: string name: type: string availability_zone: type: string instance: additionalProperties: false type: object properties: id: type: string name: type: string machine: additionalProperties: false type: object properties: type: type: string project: additionalProperties: false type: object properties: id: type: string name: type: string provider: type: string region: type: string service: additionalProperties: false type: object properties: name: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} orchestrator: additionalProperties: false type: object properties: api_version: type: string cluster: additionalProperties: false type: object properties: id: type: string name: type: string url: type: string version: type: string namespace: type: string organization: type: string resource: additionalProperties: false type: object properties: annotation: type: string id: type: string ip: type: string label: type: string name: type: string parent: additionalProperties: false type: object properties: type: type: string type: type: string type: type: string tags: items: type: string type: array responses: '200': content: application/json: examples: updateSuccessExample: description: The entity record was successfully updated. summary: Entity updated value: ok: true description: Indicates the entity was successfully updated. '400': content: application/json: examples: protectedFieldsExample: description: The request attempts to update protected fields without the force query parameter. summary: Protected fields without force value: error: Bad Request message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: No entity with the specified identifier exists. summary: Entity not found value: error: Not Found message: Entity ID 'user:jane.doe@example.com' not found statusCode: 404 description: Entity not found. summary: Update an entity tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" - lang: Console source: | PUT kbn://api/security/entity_store/entities/user?force=true { "entity": { "id": "user:jane.doe@example.com", "name": "jane.doe", "type": "user", "attributes": { "managed": true, "mfa_enabled": true } }, "user": { "name": "jane.doe" } } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/entities/bulk: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/entities/bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-entities-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, allows updating protected fields. in: query name: force required: false schema: anyOf: - enum: - 'true' - 'false' type: string - type: boolean default: false requestBody: content: application/json: examples: bulkUpdateExample: description: Update a host entity and a user entity in a single request. summary: Bulk update multiple entities value: entities: - doc: entity: attributes: asset: true id: host:web-server-prod-01 name: web-server-prod-01 type: host host: name: web-server-prod-01 type: host - doc: entity: attributes: managed: true id: user:jane.doe@example.com name: jane.doe type: user user: name: jane.doe type: user schema: additionalProperties: false type: object properties: entities: description: The entities to update. items: type: object properties: doc: anyOf: - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array user: additionalProperties: false type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number roles: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string host: additionalProperties: false type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string os: additionalProperties: false type: object properties: family: type: string full: type: string kernel: type: string name: anyOf: - type: string - items: type: string type: array platform: type: string type: anyOf: - type: string - items: type: string type: array version: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number type: items: type: string type: array labels: additionalProperties: {} type: object properties: {} tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} service: additionalProperties: false type: object properties: address: type: string environment: type: string ephemeral_id: type: string id: type: string name: type: string node: additionalProperties: false type: object properties: name: type: string role: type: string roles: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number state: type: string type: type: string version: type: string tags: items: type: string type: array - additionalProperties: false type: object properties: '@timestamp': format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string asset: additionalProperties: false type: object properties: business_unit: type: string criticality: anyOf: - enum: - low_impact - medium_impact - high_impact - extreme_impact type: string - nullable: true environment: type: string id: type: string model: type: string name: type: string owner: type: string serial_number: type: string vendor: type: string cloud: additionalProperties: false type: object properties: account: additionalProperties: false type: object properties: id: type: string name: type: string availability_zone: type: string instance: additionalProperties: false type: object properties: id: type: string name: type: string machine: additionalProperties: false type: object properties: type: type: string project: additionalProperties: false type: object properties: id: type: string name: type: string provider: type: string region: type: string service: additionalProperties: false type: object properties: name: type: string entity: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: asset: type: boolean known_redirects: items: type: string type: array managed: type: boolean mfa_enabled: type: boolean oauth_consent_restriction: type: string permissions: items: type: string type: array storage_class: type: string watchlists: items: type: string type: array behaviors: additionalProperties: false type: object properties: anomaly_job_ids: items: type: string type: array rule_names: items: type: string type: array EngineMetadata: additionalProperties: false type: object properties: Type: type: string id: type: string lifecycle: additionalProperties: false type: object properties: first_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_activity: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string last_seen: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string name: type: string relationships: additionalProperties: false type: object properties: accesses_frequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array accesses_infrequently: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array administers: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array communicates_with: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array depends_on: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array owns_inferred: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array resolution: additionalProperties: false type: object properties: resolved_to: type: string risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number supervises: additionalProperties: false type: object properties: ids: items: type: string type: array raw_identifiers: additionalProperties: false type: object properties: entity.id: items: type: string type: array host.id: items: type: string type: array host.name: items: type: string type: array service.name: items: type: string type: array user.email: items: type: string type: array user.id: items: type: string type: array user.name: items: type: string type: array risk: additionalProperties: false type: object properties: calculated_level: enum: - Unknown - Low - Moderate - High - Critical type: string calculated_score: type: number calculated_score_norm: maximum: 100 minimum: 0 type: number schema_version: type: string source: items: type: string type: array sub_type: type: string type: type: string url: type: string event: additionalProperties: false type: object properties: ingested: format: date-time pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ type: string labels: additionalProperties: {} type: object properties: {} orchestrator: additionalProperties: false type: object properties: api_version: type: string cluster: additionalProperties: false type: object properties: id: type: string name: type: string url: type: string version: type: string namespace: type: string organization: type: string resource: additionalProperties: false type: object properties: annotation: type: string id: type: string ip: type: string label: type: string name: type: string parent: additionalProperties: false type: object properties: type: type: string type: type: string type: type: string tags: items: type: string type: array type: description: The entity type of this record. enum: - user - host - service - generic type: string required: - type - doc type: array required: - entities responses: '200': content: application/json: examples: bulkUpdatePartialExample: description: Some entities were updated but others encountered Elasticsearch-level errors. summary: Partial success with errors value: errors: - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' status: 404 type: document_missing_exception ok: true bulkUpdateSuccessExample: description: All entities were successfully updated with no errors. summary: All entities updated value: errors: [] ok: true description: Indicates a successful response. '400': content: application/json: examples: protectedFieldsExample: description: The request attempts to update protected fields without the force query parameter. summary: Protected fields without force value: error: Bad Request message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 description: Bad request. summary: Bulk update entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" - lang: Console source: | PUT kbn://api/security/entity_store/entities/bulk?force=true { "entities": [ { "type": "host", "doc": { "entity": { "id": "host:web-server-prod-01", "name": "web-server-prod-01", "type": "host", "attributes": { "asset": true } }, "host": { "name": "web-server-prod-01" } } } ] } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/install: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/install
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install the Entity Store and create engines for the specified entity types. A single `logExtraction` configuration is shared across all entity types. Supply it once at install to customize settings; omit it (or send an empty object) to use defaults on first install or preserve the existing configuration on re-install. To change settings after install, use the update endpoint.

[Required authorization] Route required privileges: securitySolution. operationId: post-security-entity-store-install parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: installDefaultExample: description: Install the Entity Store for all entity types with default log extraction settings. summary: Install with default entity types value: entityTypes: - user - host - service - generic logExtraction: {} installWithCustomSettingsExample: description: Install the Entity Store for host entities only with a custom lookback period and field history length. summary: Install with custom log extraction value: entityTypes: - host logExtraction: delay: 2m fieldHistoryLength: 20 frequency: 5m lookbackPeriod: 12h schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic items: enum: - user - host - service - generic type: string type: array historySnapshot: additionalProperties: false type: object properties: frequency: default: 24h pattern: '[smdh]$' type: string logExtraction: additionalProperties: false type: object properties: additionalIndexPatterns: default: [] items: type: string type: array delay: default: 1m pattern: '[smdh]$' type: string docsLimit: default: 10000 maximum: 9007199254740991 minimum: 1 type: integer excludedIndexPatterns: default: [] items: type: string type: array fieldHistoryLength: default: 10 maximum: 9007199254740991 minimum: -9007199254740991 type: integer frequency: default: 1m pattern: '[smdh]$' type: string lookbackPeriod: default: 3h pattern: '[smdh]$' type: string maxLogsPerPage: default: 40000 maximum: 9007199254740991 minimum: 1 type: integer maxTimeWindowSize: default: 15m pattern: '[smdh]$' type: string responses: '200': content: application/json: examples: alreadyInstalledExample: description: All requested entity types were already installed. summary: Already installed value: ok: true description: Indicates all requested entity types are already installed. '201': content: application/json: examples: installSuccessExample: description: The Entity Store was installed and engines are being created. summary: Entity Store installed value: ok: true description: Indicates the Entity Store was successfully installed. '403': content: application/json: examples: forbiddenExample: description: The user does not have the required Elasticsearch privileges. summary: Insufficient privileges value: error: Forbidden message: User 'analyst' has insufficient privileges statusCode: 403 description: Insufficient privileges. summary: Install the Entity Store tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ "${KIBANA_URL}/api/security/entity_store/install" - lang: Console source: | POST kbn://api/security/entity_store/install { "entityTypes": ["user", "host", "service", "generic"], "logExtraction": {} } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/resolution/group: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security/entity_store/resolution/group
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: get-security-entity-store-resolution-group parameters: - description: The entity identifier to look up the resolution group for. in: query name: entity_id required: true schema: type: string responses: '200': content: application/json: examples: resolutionGroupExample: description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. summary: Resolution group with linked entities value: aliases: - '@timestamp': '2026-04-10T08:25:00.000Z' entity: id: user:jdoe@example.com name: jdoe relationships: resolution: resolved_to: user:jane.doe@example.com type: user user: name: jdoe group_size: 2 target: '@timestamp': '2026-04-10T08:30:00.000Z' entity: id: user:jane.doe@example.com name: jane.doe type: user user: email: - jane.doe@example.com name: jane.doe description: Indicates a successful response. '400': content: application/json: examples: truncatedSearchExample: description: The resolution search returned too many results and was truncated. summary: Search results truncated value: error: Bad Request message: Resolution search truncated statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: The specified entity does not exist or has no resolution group. summary: Entity not found value: error: Not Found message: 'Entities not found: [user:nonexistent@example.com]' statusCode: 404 description: Entity not found. summary: Get resolution group tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" - lang: Console source: | GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/resolution/link: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/resolution/link
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Link one or more entities to a target entity, creating a resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: post-security-entity-store-resolution-link parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: linkEntitiesExample: description: Link two user entities to a target entity, creating a resolution group. summary: Link entities to a target value: entity_ids: - user:jdoe@example.com - user:j.doe@example.com target_id: user:jane.doe@example.com schema: additionalProperties: false type: object properties: entity_ids: description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. items: type: string maxItems: 1000 minItems: 1 type: array target_id: description: The entity identifier to resolve the linked entities to. type: string required: - target_id - entity_ids responses: '200': content: application/json: examples: linkSuccessExample: description: The entities were successfully linked to the target entity. summary: Entities linked value: linked: - user:jdoe@example.com - user:j.doe@example.com skipped: [] target_id: user:jane.doe@example.com description: Indicates a successful response. '400': content: application/json: examples: mixedTypesExample: description: All entities in a resolution group must be of the same type. summary: Mixed entity types value: error: Bad Request message: Cannot link entities of different types statusCode: 400 selfLinkExample: description: Cannot link an entity to itself. summary: Self-link error value: error: Bad Request message: Cannot link entity 'user:jane.doe@example.com' to itself. statusCode: 400 description: Bad request. '404': content: application/json: examples: notFoundExample: description: One or more of the specified entity identifiers were not found. summary: Entities not found value: error: Not Found message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' statusCode: 404 description: Entities not found. summary: Link entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ "${KIBANA_URL}/api/security/entity_store/resolution/link" - lang: Console source: | POST kbn://api/security/entity_store/resolution/link { "target_id": "user:jane.doe@example.com", "entity_ids": ["user:jdoe@example.com"] } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/resolution/unlink: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/resolution/unlink
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Remove one or more entities from their resolution group. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. operationId: post-security-entity-store-resolution-unlink parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: unlinkEntitiesExample: description: Remove entities from their resolution group, restoring them as standalone entities. summary: Unlink entities from their resolution group value: entity_ids: - user:jdoe@example.com - user:j.doe@example.com schema: additionalProperties: false type: object properties: entity_ids: description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. items: type: string maxItems: 1000 minItems: 1 type: array required: - entity_ids responses: '200': content: application/json: examples: unlinkSuccessExample: description: The entities were successfully removed from their resolution group. summary: Entities unlinked value: skipped: [] unlinked: - user:jdoe@example.com - user:j.doe@example.com description: Indicates a successful response. '404': content: application/json: examples: notFoundExample: description: One or more of the specified entity identifiers were not found. summary: Entities not found value: error: Not Found message: 'Entities not found: [user:nonexistent@example.com]' statusCode: 404 description: Entities not found. summary: Unlink entities tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entity_ids":["user:jdoe@example.com"]}' \ "${KIBANA_URL}/api/security/entity_store/resolution/unlink" - lang: Console source: | POST kbn://api/security/entity_store/resolution/unlink { "entity_ids": ["user:jdoe@example.com"] } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/start: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/start
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-start parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: startAllExample: description: Start all stopped entity engines. summary: Start all entity engines value: entityTypes: - user - host - service - generic startSingleExample: description: Start only the host entity engine. summary: Start a single entity engine value: entityTypes: - host schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic description: Entity types to start. Defaults to all installed types. items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: startSuccessExample: description: The specified entity engines were successfully started. summary: Engines started value: ok: true description: Indicates a successful response. summary: Start Entity Store engines tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"]}' \ "${KIBANA_URL}/api/security/entity_store/start" - lang: Console source: | PUT kbn://api/security/entity_store/start { "entityTypes": ["user", "host", "service", "generic"] } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/status: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/security/entity_store/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. operationId: get-security-entity-store-status parameters: - description: If true, returns a detailed status of each engine including all its components. in: query name: include_components required: false schema: anyOf: - enum: - 'true' - 'false' type: string - type: boolean default: false responses: '200': content: application/json: examples: notInstalledExample: description: The Entity Store has not been installed. summary: Entity Store not installed value: engines: [] status: not_installed runningStatusExample: description: The Entity Store is running with two started engines using default settings. summary: Entity Store running value: engines: - delay: 1m docsPerSecond: -1 enrichPolicyExecutionInterval: null fieldHistoryLength: 10 filter: '' frequency: 30s indexPattern: '' lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' lookbackPeriod: 3h maxPageSearchSize: 10000 status: started timeout: 25s timestampField: '@timestamp' type: host - delay: 1m docsPerSecond: -1 enrichPolicyExecutionInterval: null fieldHistoryLength: 10 filter: '' frequency: 30s indexPattern: '' lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' lookbackPeriod: 3h maxPageSearchSize: 10000 status: started timeout: 25s timestampField: '@timestamp' type: user status: running description: Indicates a successful response. summary: Get Entity Store status tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ "${KIBANA_URL}/api/security/entity_store/status?include_components=false" - lang: Console source: | GET kbn://api/security/entity_store/status?include_components=false x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/stop: put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/security/entity_store/stop
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. operationId: put-security-entity-store-stop parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: stopAllExample: description: Stop all running entity engines. summary: Stop all entity engines value: entityTypes: - user - host - service - generic schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic description: Entity types to stop. Defaults to all running types. items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: stopSuccessExample: description: The specified entity engines were successfully stopped. summary: Engines stopped value: ok: true description: Indicates a successful response. summary: Stop Entity Store engines tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"]}' \ "${KIBANA_URL}/api/security/entity_store/stop" - lang: Console source: | PUT kbn://api/security/entity_store/stop { "entityTypes": ["user", "host", "service", "generic"] } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/entity_store/uninstall: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/security/entity_store/uninstall
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. operationId: post-security-entity-store-uninstall parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: uninstallAllExample: description: Uninstall all entity engines from the Entity Store. summary: Uninstall all entity types value: entityTypes: - user - host - service - generic uninstallSingleExample: description: Uninstall only the host engine from the Entity Store. summary: Uninstall a single entity type value: entityTypes: - host schema: additionalProperties: false type: object properties: entityTypes: default: - user - host - service - generic description: Entity types to uninstall. Defaults to all installed types. items: enum: - user - host - service - generic type: string type: array responses: '200': content: application/json: examples: uninstallSuccessExample: description: The specified entity engines were successfully uninstalled. summary: Entity Store uninstalled value: ok: true description: Indicates a successful response. summary: Uninstall the Entity Store tags: - Security entity store x-codeSamples: - lang: curl source: | curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ -H "Content-Type: application/json" \ -d '{"entityTypes":["user","host","service","generic"]}' \ "${KIBANA_URL}/api/security/entity_store/uninstall" - lang: Console source: | POST kbn://api/security/entity_store/uninstall { "entityTypes": ["user", "host", "service", "generic"] } x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/role: get: description: Retrieve all Kibana roles. operationId: get-security-role parameters: - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': content: application/json: examples: getAllRolesResponse: value: - _unrecognized_applications: [] description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read run_as: [] kibana: - base: - read feature: {} spaces: - default metadata: {} name: my_kibana_role transient_metadata: enabled: true schema: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' type: array description: Indicates a successful call. summary: Get all roles tags: - roles x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/role/_query: post: description: Query Kibana roles with optional filters, paging, and sorting. operationId: post-security-role-query parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: queryRolesRequest: value: from: 0 query: kibana size: 25 sort: direction: asc field: name schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_body' responses: '200': content: application/json: examples: queryRolesResponse: value: count: 1 roles: - _unrecognized_applications: [] description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read run_as: [] kibana: - base: - read feature: {} spaces: - default metadata: {} name: my_kibana_role transient_metadata: enabled: true total: 1 schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_response' description: Indicates a successful call. summary: Query roles tags: [] x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/role/{name}: delete: description: Delete a Kibana role by its name. operationId: delete-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The role name. in: path name: name required: true schema: minLength: 1 type: string responses: '204': description: Indicates a successful call. summary: Delete a role tags: - roles x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: Retrieve a Kibana role by its name. operationId: get-security-role-name parameters: - description: The role name. in: path name: name required: true schema: minLength: 1 type: string - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': content: application/json: examples: getRoleResponse: value: _unrecognized_applications: [] description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read run_as: [] kibana: - base: - read feature: {} spaces: - default metadata: {} name: my_kibana_role transient_metadata: enabled: true schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' description: Indicates a successful call. summary: Get a role tags: - roles x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. operationId: put-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The role name. in: path name: name required: true schema: maxLength: 1024 minLength: 1 type: string - description: When true, a role is not overwritten if it already exists. in: query name: createOnly required: false schema: default: false type: boolean requestBody: content: application/json: examples: createOrUpdateRoleRequest: value: description: My custom Kibana role. elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read kibana: - base: - read feature: {} spaces: - default schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' responses: '204': description: Indicates a successful call. summary: Create or update a role tags: - roles x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/security/roles: post: description: Create or update multiple Kibana roles in a single request. operationId: post-security-roles parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: bulkCreateOrUpdateRoles: value: roles: my_kibana_role: elasticsearch: cluster: - monitor indices: - names: - logs-* privileges: - read kibana: - base: - read feature: {} spaces: - default schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload' responses: '200': content: application/json: examples: bulkCreateOrUpdateRolesResponse: value: created: - my_kibana_role noop: [] updated: [] schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response' description: Indicates a successful call. summary: Create or update roles tags: - roles x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/spaces/space: get: description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. operationId: get-spaces-space parameters: - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query name: purpose required: false schema: enum: - any - copySavedObjectsIntoSpace - shareSavedObjectsIntoSpace type: string - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. in: query name: include_authorized_purposes required: false schema: type: boolean responses: '200': description: Indicates a successful call. content: application/json: examples: getSpacesResponseExample1: $ref: '#/components/examples/get_spaces_response1' getSpacesResponseExample2: $ref: '#/components/examples/get_spaces_response2' summary: Get all spaces tags: - spaces x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: Create a new Kibana space. operationId: post-spaces-space parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string maxItems: 100 type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string projectRouting: description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string required: - id - name examples: createSpaceRequest: $ref: '#/components/examples/create_space_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string maxItems: 100 type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string projectRouting: description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string required: - id - name examples: createSpaceResponseExample: $ref: '#/components/examples/get_space_response' description: Indicates a successful call. summary: Create a space tags: - spaces x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/spaces/space/{id}: delete: description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. operationId: delete-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '404': description: Indicates that the request failed. summary: Delete a space tags: - spaces x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: Retrieve a single Kibana space by its identifier. operationId: get-spaces-space-id parameters: - description: The space identifier. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getSpaceResponse: description: A response that contains the full configuration for a single Kibana space. summary: Get details about a marketing space value: color: '#aabbcc' description: This is the Marketing Space disabledFeatures: [] id: marketing imageUrl: '' initials: MK name: Marketing solution: es schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string maxItems: 100 type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string projectRouting: description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string required: - id - name description: Indicates a successful call. summary: Get a space tags: - spaces x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: Update an existing Kibana space. operationId: put-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. You are unable to change the ID with the update operation. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string maxItems: 100 type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string projectRouting: description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string required: - id - name examples: updateSpaceRequest: $ref: '#/components/examples/update_space_request' responses: '200': content: application/json: examples: updateSpaceResponse: description: A response that contains the updated configuration of the Kibana space. summary: Update the marketing space value: color: '#aabbcc' description: An updated description for the Marketing Space disabledFeatures: [] id: marketing imageUrl: '' initials: MK name: Marketing solution: es schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string maxItems: 100 type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string projectRouting: description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string required: - id - name description: Indicates a successful call. summary: Update a space tags: - spaces x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/status: get: description: Returns Kibana's overall operational status and a per-service breakdown for Elasticsearch, Saved Objects, and registered plugins. The endpoint is intended for liveness and readiness checks (for example, by Kubernetes probes) and for operators monitoring a Kibana deployment. Unauthenticated callers receive a redacted response that exposes only the overall status level. operationId: get-status parameters: - description: Set to "true" to get the response in v7 format. in: query name: v7format required: false schema: type: boolean - description: Set to "true" to get the response in v8 format. in: query name: v8format required: false schema: type: boolean responses: '200': content: application/json: examples: statusAvailableResponse: description: A successful response when Kibana and its core services are operating normally. summary: Kibana is available value: metrics: collection_interval_in_millis: 5000 elasticsearch_client: totalActiveSockets: 4 totalIdleSockets: 2 totalQueuedRequests: 0 last_updated: '2026-04-30T12:00:05.000Z' name: kibana status: core: elasticsearch: level: available summary: Elasticsearch is available savedObjects: level: available summary: SavedObjects service has completed migrations and is available overall: level: available summary: All services are available plugins: {} uuid: 5b2de169-2785-441b-ae8c-186a1936b17d version: build_date: '2026-04-30T12:00:00.000Z' build_flavor: traditional build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc build_number: 100200 build_snapshot: false number: 9.3.0 schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Overall status is OK and Kibana should be functioning normally. '503': content: application/json: examples: statusUnavailableResponse: description: A response when one or more core services are unavailable. summary: Kibana is unavailable value: metrics: collection_interval_in_millis: 5000 elasticsearch_client: totalActiveSockets: 0 totalIdleSockets: 0 totalQueuedRequests: 0 last_updated: '2026-04-30T12:00:05.000Z' name: kibana status: core: elasticsearch: level: unavailable summary: Unable to connect to Elasticsearch savedObjects: level: unavailable summary: SavedObjects service depends on Elasticsearch overall: level: unavailable summary: Some services are unavailable plugins: {} uuid: 5b2de169-2785-441b-ae8c-186a1936b17d version: build_date: '2026-04-30T12:00:00.000Z' build_flavor: traditional build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc build_number: 100200 build_snapshot: false number: 9.3.0 schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Kibana or some of its essential services are unavailable. Kibana may be degraded or unavailable. summary: Get Kibana's current status tags: - system x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches list of all streams

[Required authorization] Route required privileges: read_stream. operationId: get-streams parameters: [] requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: listStreams: value: streams: - description: Root logs stream ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] updated_at: '2025-01-10T08:00:00.000Z' settings: {} wired: fields: '@timestamp': type: date log.level: type: keyword message: type: match_only_text routing: - destination: logs.nginx status: enabled where: eq: nginx field: host.name name: logs type: wired updated_at: '2025-01-10T08:00:00.000Z' - description: Web server access logs, routed by severity ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] updated_at: '2025-01-15T10:30:00.000Z' settings: {} wired: fields: host.name: type: keyword http.response.status_code: type: long message: type: match_only_text routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 name: logs.nginx type: wired updated_at: '2025-01-15T10:30:00.000Z' - description: Legacy application logs ingest: classic: {} failure_store: disabled: {} lifecycle: dsl: data_retention: 30d processing: steps: - action: grok from: message ignore_missing: true patterns: - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' updated_at: '2024-12-01T09:00:00.000Z' settings: {} name: logs-myapp-default type: classic updated_at: '2024-12-01T09:00:00.000Z' - description: All error-level logs across every stream name: logs.errors query: esql: FROM logs* | WHERE log.level == "error" view: logs.errors-view type: query updated_at: '2025-01-20T14:00:00.000Z' summary: Get stream list tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/_disable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/_disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-disable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Disable streams tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/_enable: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/_enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Enables wired streams

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-enable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Enable streams tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/_resync: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/_resync
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-resync parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: {} summary: Resync streams tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/streams/{name}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. operationId: delete-streams-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': description: The stream was deleted successfully. summary: Delete a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name parameters: - description: The name of the stream. in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: getWiredStream: value: dashboards: [] data_stream_exists: true effective_failure_store: disabled: {} from: logs effective_lifecycle: dsl: data_retention: 7d from: logs effective_settings: {} inherited_fields: '@timestamp': from: logs type: date log.level: from: logs type: keyword privileges: create_snapshot_repository: false lifecycle: true manage: true manage_failure_store: true monitor: true read_failure_store: true simulate: true text_structure: true view_index_metadata: true queries: [] rules: [] stream: description: Web server access logs, routed by severity ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] updated_at: '2025-01-15T10:30:00.000Z' settings: {} wired: fields: host.name: type: keyword http.response.status_code: type: long message: type: match_only_text routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 name: logs.nginx type: wired updated_at: '2025-01-15T10:30:00.000Z' description: Stream definition and associated metadata. summary: Get a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string requestBody: content: application/json: examples: createQueryStream: value: dashboards: [] queries: [] rules: [] stream: description: All error-level logs across every stream query: esql: FROM logs* | WHERE log.level == "error" view: logs.errors-view type: query createWiredStream: value: dashboards: [] queries: [] rules: [] stream: description: Web server access logs, routed by severity ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: [] settings: {} wired: fields: host.name: type: keyword http.response.status_code: type: long message: type: match_only_text routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 type: wired updateClassicStream: value: dashboards: [] queries: [] rules: [] stream: description: Legacy application logs managed as a classic data stream ingest: classic: {} failure_store: disabled: {} lifecycle: dsl: data_retention: 30d processing: steps: - action: grok from: message ignore_missing: true patterns: - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' settings: {} type: classic schema: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' responses: '200': description: The stream was created or updated successfully. summary: Create or update a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/_fork: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/_fork
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-fork parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the parent stream to fork from. in: path name: name required: true schema: type: string requestBody: content: application/json: examples: forkStream: value: status: enabled stream: name: logs.nginx.errors where: eq: '500' field: http.response.status_code schema: additionalProperties: false type: object properties: draft: type: boolean status: enum: - enabled - disabled type: string stream: additionalProperties: false type: object properties: name: type: string required: - name where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' required: - stream - where responses: '200': description: The stream was forked successfully. summary: Fork a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/_ingest: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/_ingest
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-ingest parameters: - description: The name of the stream. in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: getWiredIngest: value: ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: - action: grok from: message ignore_missing: false patterns: - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' updated_at: '2025-01-15T10:30:00.000Z' settings: {} wired: fields: client.ip: type: ip http.method: type: keyword http.response.body.bytes: type: long http.response.status_code: type: long url.original: type: wildcard routing: - destination: logs.nginx.errors status: enabled where: field: http.response.status_code gte: 500 description: Ingest settings for the stream. summary: Get ingest stream settings tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}/_ingest
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name-ingest parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string requestBody: content: application/json: examples: upsertWiredIngest: value: ingest: failure_store: inherit: {} lifecycle: inherit: {} processing: steps: - action: grok from: message ignore_missing: false patterns: - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' settings: {} wired: fields: client.ip: type: ip http.method: type: keyword http.response.body.bytes: type: long http.response.status_code: type: long url.original: type: wildcard routing: - destination: logs.nginx.errors status: enabled where: eq: '500' field: http.response.status_code schema: additionalProperties: false type: object properties: ingest: anyOf: - additionalProperties: false type: object properties: failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value wired: additionalProperties: false type: object properties: draft: type: boolean fields: $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' routing: items: type: object properties: destination: description: A non-empty string. minLength: 1 type: string draft: type: boolean status: enum: - enabled - disabled type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' required: - destination - where type: array required: - fields - routing required: - lifecycle - processing - settings - failure_store - wired - additionalProperties: false type: object properties: classic: additionalProperties: false type: object properties: field_overrides: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value required: - lifecycle - processing - settings - failure_store - classic required: - ingest responses: '200': description: The ingest settings were updated successfully. summary: Update ingest stream settings tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/_query: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/_query
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-query parameters: - description: The name of the query stream. in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': description: Query settings for the stream. summary: Get query stream settings tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}/_query
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name-query parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the query stream. in: path name: name required: true schema: type: string requestBody: content: application/json: examples: upsertQueryStream: value: query: esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level schema: additionalProperties: false type: object properties: field_descriptions: additionalProperties: type: string type: object query: additionalProperties: false type: object properties: esql: type: string required: - esql required: - query responses: '200': description: The query stream settings were updated successfully. summary: Upsert query stream settings tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/content/export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/content/export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-content-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream to export content from. in: path name: name required: true schema: type: string requestBody: content: application/json: examples: exportContent: value: description: Nginx stream content pack include: objects: all: {} name: nginx-pack version: 1.0.0 schema: additionalProperties: false type: object properties: description: type: string include: $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' name: type: string version: type: string required: - name - description - version - include responses: '200': description: Content pack archive for the stream. summary: Export stream content tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/content/import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/content/import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-content-import parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream to import content into. in: path name: name required: true schema: type: string requestBody: content: multipart/form-data: examples: importContent: value: content: include: '{"objects":{"all":{}}}' schema: additionalProperties: false type: object properties: content: {} include: type: string required: - include - content responses: '200': description: Content was imported into the stream successfully. summary: Import content into a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/queries: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-queries parameters: - description: The name of the stream. in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: listQueries: value: queries: - description: Count error-level log events grouped by host name esql: query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name id: error-count-by-host severity_score: 75 title: Error count by host type: match - description: Requests with response time above 2 seconds esql: query: FROM logs.nginx | WHERE http.response_time > 2000 id: high-latency-requests severity_score: 50 title: High latency requests type: match description: List of queries linked to the stream. summary: Get stream queries tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/queries/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/queries/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-name-queries-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string requestBody: content: application/json: examples: bulkQueries: value: operations: - index: description: Count error-level log events grouped by host name esql: query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name id: error-count-by-host title: Error count by host - delete: id: old-query-id schema: additionalProperties: false type: object properties: operations: items: anyOf: - type: object properties: index: type: object properties: description: default: '' type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string required: - title - esql - id required: - index - type: object properties: delete: type: object properties: id: type: string required: - id required: - delete type: array required: - operations responses: '200': description: Bulk operation completed successfully. summary: Bulk update queries tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/queries/{queryId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. operationId: delete-streams-name-queries-queryid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string - description: The identifier of the query to remove. in: path name: queryId required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': description: The query was removed successfully. summary: Remove a query from a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{name}/queries/{queryId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-name-queries-queryid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string - description: The identifier of the query. in: path name: queryId required: true schema: type: string requestBody: content: application/json: examples: upsertQuery: value: description: Count error-level log events grouped by host name esql: query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name title: Error count by host schema: additionalProperties: false type: object properties: description: default: '' type: string esql: additionalProperties: false type: object properties: query: type: string required: - query evidence: items: type: string type: array severity_score: type: number title: description: A non-empty string. minLength: 1 type: string required: - title - esql responses: '200': description: The query was added or updated successfully. summary: Upsert a query to a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/significant_events: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{name}/significant_events
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Read the significant events

[Required authorization] Route required privileges: read_stream. operationId: get-streams-name-significant-events parameters: - description: The name of the stream. in: path name: name required: true schema: type: string - in: query name: from required: true schema: type: string - in: query name: to required: true schema: type: string - description: The bucket size for aggregating events (e.g. "1m", "1h"). in: query name: bucketSize required: true schema: type: string - description: Query string to filter significant events on metadata fields in: query name: query required: false schema: type: string - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). When omitted, defaults to hybrid with a silent keyword fallback on failure. When set explicitly, failures propagate as errors.' in: query name: searchMode required: false schema: enum: - keyword - semantic - hybrid type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: significantEvents: value: aggregated_occurrences: - count: 42 date: '2025-01-15T10:00:00.000Z' - count: 18 date: '2025-01-15T11:00:00.000Z' - count: 7 date: '2025-01-15T12:00:00.000Z' significant_events: - change_points: type: spike: change_point: 1 p_value: 0.002 description: Count error-level log events grouped by host name esql: query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name id: error-count-by-host occurrences: - count: 42 date: '2025-01-15T10:00:00.000Z' - count: 18 date: '2025-01-15T11:00:00.000Z' - count: 7 date: '2025-01-15T12:00:00.000Z' rule_backed: false severity_score: 75 stream_name: logs.nginx title: Error count by host type: match description: Significant events for the stream. summary: Read the significant events tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/significant_events/_generate: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/significant_events/_generate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. operationId: post-streams-name-significant-events-generate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query name: connectorId required: false schema: type: string - in: query name: from required: true schema: type: string - in: query name: to required: true schema: type: string - description: Number of sample documents to use for generation from the current data of stream in: query name: sampleDocsSize required: false schema: type: number requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': description: Generated significant event query definitions. summary: Generate significant events tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{name}/significant_events/_preview: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{name}/significant_events/_preview
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. operationId: post-streams-name-significant-events-preview parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream. in: path name: name required: true schema: type: string - in: query name: from required: true schema: type: string - in: query name: to required: true schema: type: string - description: The bucket size for aggregating events (e.g. "1m", "1h"). in: query name: bucketSize required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: esql: additionalProperties: false type: object properties: query: type: string required: - query required: - esql required: - query responses: '200': description: Significant event preview results. summary: Preview significant events tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{streamName}/attachments: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/streams/{streamName}/attachments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. operationId: get-streams-streamname-attachments parameters: - description: The name of the stream in: path name: streamName required: true schema: type: string - description: Search query to filter attachments by title in: query name: query required: false schema: type: string - description: Filter by attachment types (single value or array) in: query name: attachmentTypes required: false schema: items: enum: - dashboard - rule - slo type: string type: array - description: Filter by tags (single value or array) in: query name: tags required: false schema: items: type: string type: array requestBody: content: application/json: examples: listAttachmentsExample: value: {} schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: listAttachmentsResponse: value: attachments: - createdAt: '2023-02-23T16:15:47.275Z' description: Dashboard for monitoring production services id: dashboard-123 streamNames: - logs.awsfirehose - logs.nginx tags: - monitoring - production title: My Dashboard type: dashboard updatedAt: '2023-03-24T14:39:17.636Z' description: Successfully retrieved attachments summary: Get stream attachments tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{streamName}/attachments/_bulk: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. operationId: post-streams-streamname-attachments-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream in: path name: streamName required: true schema: type: string requestBody: content: application/json: examples: bulkAttachmentsExample: value: operations: - index: id: dashboard-123 type: dashboard - delete: id: rule-456 type: rule schema: additionalProperties: false type: object properties: operations: items: anyOf: - type: object properties: index: type: object properties: id: type: string type: enum: - dashboard - rule - slo type: string required: - id - type required: - index - type: object properties: delete: type: object properties: id: type: string type: enum: - dashboard - rule - slo type: string required: - id - type required: - delete type: array required: - operations responses: '200': content: application/json: examples: bulkAttachmentsResponse: value: acknowledged: true description: Successfully performed bulk operations summary: Bulk update attachments tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream in: path name: streamName required: true schema: type: string - description: The type of the attachment in: path name: attachmentType required: true schema: enum: - dashboard - rule - slo type: string - description: The ID of the attachment in: path name: attachmentId required: true schema: type: string requestBody: content: application/json: examples: unlinkAttachmentExample: value: {} schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: unlinkAttachmentResponse: value: acknowledged: true description: Successfully unlinked attachment summary: Unlink an attachment from a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. operationId: put-streams-streamname-attachments-attachmenttype-attachmentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The name of the stream in: path name: streamName required: true schema: type: string - description: The type of the attachment in: path name: attachmentType required: true schema: enum: - dashboard - rule - slo type: string - description: The ID of the attachment in: path name: attachmentId required: true schema: type: string requestBody: content: application/json: examples: linkAttachmentExample: value: {} schema: anyOf: - additionalProperties: false type: object properties: {} - nullable: true - {} responses: '200': content: application/json: examples: linkAttachmentResponse: value: acknowledged: true description: Successfully linked attachment summary: Link an attachment to a stream tags: - streams x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/task_manager/_health: get: description: | Get the health status of the Kibana task manager. operationId: task-manager-health responses: '200': content: application/json: examples: taskManagerHealthResponse1: $ref: '#/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless' schema: $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless' description: Indicates a successful call summary: Get the task manager health tags: - task manager x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete one or more Timelines or Timeline templates. operationId: DeleteTimelines requestBody: content: application/json: examples: deleteByIds: summary: Delete timelines by saved object id value: savedObjectIds: - 15c1929b-0af7-42bd-85a8-56e234cc7c4e deleteWithSearches: summary: Delete Timelines and their linked saved searches value: savedObjectIds: - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - 6ce1b592-84e3-4b4a-9552-f189d4b82075 searchIds: - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 schema: type: object properties: savedObjectIds: description: The list of IDs of the Timelines or Timeline templates to delete items: type: string maxItems: 100 type: array searchIds: description: Saved search IDs that should be deleted alongside the timelines items: type: string maxItems: 100 type: array required: - savedObjectIds description: The IDs of the Timelines or Timeline templates to delete. required: true responses: '200': content: application/json: examples: success: summary: Success value: {} schema: additionalProperties: true type: object description: Indicates a successful call. summary: Delete Timelines or Timeline templates tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of an existing saved Timeline or Timeline template. operationId: GetTimeline parameters: - description: The `savedObjectId` of the Timeline template to retrieve. in: query name: template_timeline_id schema: type: string - description: The `savedObjectId` of the Timeline to retrieve. in: query name: id schema: type: string responses: '200': content: application/json: examples: timelineDetail: summary: Timeline detail value: description: User-reported suspicious email noteIds: [] pinnedEventIds: [] savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e status: active timelineType: default title: Phishing investigation version: WzE0LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. summary: Get Timeline or Timeline template details tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. operationId: PatchTimeline requestBody: content: application/json: examples: patchTitle: summary: Update title value: timeline: title: Escalated case review timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e version: WzE0LDFd schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' description: The timeline object of the Timeline or Timeline template that you’re updating. timelineId: description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e nullable: true type: string version: description: The version of the Timeline or Timeline template that you’re updating. example: WzE0LDFd nullable: true type: string required: - timelineId - version - timeline description: The Timeline updates, along with the Timeline ID and version. required: true responses: '200': content: application/json: examples: patched: summary: Updated timeline value: savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e status: active timelineType: default title: Escalated case review version: WzE1LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. '405': content: application/json: examples: error: summary: Error body value: body: update timeline error statusCode: 405 schema: type: object properties: body: description: The error message. example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that the user does not have the required access to create a Timeline. summary: Update a Timeline tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new Timeline or Timeline template. operationId: CreateTimelines requestBody: content: application/json: examples: createDefault: summary: Create a default timeline value: timeline: status: active timelineType: default title: Malware containment schema: type: object properties: status: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: description: A unique identifier for the Timeline template. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: description: Timeline template version number. example: 12 nullable: true type: number timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineId: description: A unique identifier for the Timeline. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true version: nullable: true type: string required: - timeline description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. required: true responses: '200': content: application/json: examples: created: summary: Created timeline value: savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e status: active timelineType: default title: Malware containment version: WzE0LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. '405': content: application/json: examples: error: summary: Error body value: body: update timeline error statusCode: 405 schema: type: object properties: body: description: The error message example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that there was an error in the Timeline creation. summary: Create a Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline/_copy: post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Copies and returns a timeline or timeline template. operationId: CopyTimeline requestBody: content: application/json: examples: copyWithTitle: summary: Copy with a new title value: timeline: timelineType: default title: Copy of investigation timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineIdToCopy: description: The `savedObjectId` of the timeline or template to duplicate. type: string required: - timeline - timelineIdToCopy description: Source timeline id to copy plus timeline fields for the new saved object. required: true responses: '200': content: application/json: examples: copied: summary: Newly saved timeline value: savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 status: active timelineType: default title: Copy of investigation version: WzE1LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. summary: Copies timeline or timeline template tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline/_draft: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timeline/_draft
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. operationId: GetDraftTimelines parameters: - description: Which draft to load (`default` investigation timeline or `template` timeline template). in: query name: timelineType required: true schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: examples: draftPayload: summary: Draft timeline payload value: savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e status: draft timelineType: default title: '' version: WzE0LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. '403': content: application/json: examples: forbidden: summary: Permission denied value: message: Forbidden status_code: 403 schema: type: object properties: message: type: string status_code: type: number description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application/json: examples: conflict: summary: Draft conflict value: message: Conflict status_code: 409 schema: type: object properties: message: type: string status_code: type: number description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. summary: Get draft Timeline or Timeline template details tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_draft
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a clean draft Timeline or Timeline template for the current user. > info > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. operationId: CleanDraftTimelines requestBody: content: application/json: examples: defaultDraft: summary: Create a default draft timeline value: timelineType: default schema: type: object properties: timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - timelineType description: The type of Timeline to create. Valid values are `default` and `template`. required: true responses: '200': content: application/json: examples: draftResponse: summary: Draft after reset or creation value: savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e status: draft templateTimelineId: null templateTimelineVersion: null timelineType: default title: '' version: WzE0LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. '403': content: application/json: examples: forbidden: summary: Permission denied value: message: Forbidden status_code: 403 schema: type: object properties: message: type: string status_code: type: number description: Indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application/json: examples: conflict: summary: Draft conflict value: message: Conflict status_code: 409 schema: type: object properties: message: type: string status_code: type: number description: Indicates that there is already a draft Timeline with the given `timelineId`. summary: Create a clean draft Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline/_export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export Timelines as an NDJSON file. operationId: ExportTimelines parameters: - description: The name of the file to export in: query name: file_name required: true schema: type: string requestBody: content: application/json: examples: exportIds: summary: Export by timeline ids value: ids: - 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: type: object properties: ids: items: type: string maxItems: 1000 minItems: 1 nullable: true type: array description: The IDs of the Timelines to export. required: true responses: '200': content: application/ndjson: examples: ndjsonLine: summary: Single NDJSON line value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' schema: description: NDJSON of the exported Timelines type: string description: Indicates a successful call. '400': content: application/ndjson: examples: badRequest: summary: Export error value: body: Export limit exceeded statusCode: 400 schema: type: object properties: body: type: string statusCode: type: number description: Bad Request response. summary: Export Timelines tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline/_favorite: patch: description: |- **Spaces method and path for this operation:**
patch /s/{space_id}/api/timeline/_favorite
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Favorite a Timeline or Timeline template for the current user. operationId: PersistFavoriteRoute requestBody: content: application/json: examples: favoriteDefault: summary: Favorite a default timeline value: templateTimelineId: null templateTimelineVersion: null timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e timelineType: default schema: type: object properties: templateTimelineId: nullable: true type: string templateTimelineVersion: nullable: true type: number timelineId: nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true required: - timelineId - templateTimelineId - templateTimelineVersion - timelineType description: The required fields used to favorite a (template) Timeline. required: true responses: '200': content: application/json: examples: favoriteResponse: summary: Favorite metadata updated value: favorite: - favoriteDate: 1741337636741 userName: elastic savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e timelineType: default version: WzE2LDFd schema: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' description: Indicates a successful call. '403': content: application/json: examples: forbidden: summary: Forbidden value: body: Forbidden statusCode: 403 schema: type: object properties: body: type: string statusCode: type: number description: Indicates the user does not have the required permissions to persist the favorite status. summary: Favorite a Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline/_import: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Import Timelines. operationId: ImportTimelines requestBody: content: application/json: examples: multipartPlaceholder: summary: Request shape (file is a stream of NDJSON lines at runtime) value: file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' isImmutable: 'false' schema: type: object properties: file: {} isImmutable: description: Whether the Timeline should be immutable enum: - 'true' - 'false' type: string required: - file description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: examples: importSummary: summary: Import summary value: errors: [] success: true success_count: 5 timelines_installed: 3 timelines_updated: 2 schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates a successful call. '400': content: application/json: examples: badRequest: summary: Invalid import value: body: Invalid file extension statusCode: 400 schema: type: object properties: body: description: The error message example: Invalid file extension type: string statusCode: example: 400 type: number description: Bad Request response. '404': content: application/json: examples: notFound: summary: Saved objects client missing value: body: Unable to find saved object client statusCode: 404 schema: type: object properties: body: description: The error message example: Unable to find saved object client type: string statusCode: example: 404 type: number description: Not found response. '409': content: application/json: examples: conflict: summary: Import conflict value: body: Could not import timelines statusCode: 409 schema: type: object properties: body: description: The error message example: Could not import timelines type: string statusCode: example: 409 type: number description: Indicates the import of Timelines was unsuccessful. summary: Import Timelines tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline/_prepackaged: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/timeline/_prepackaged
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Install or update prepackaged Timelines. operationId: InstallPrepackedTimelines requestBody: content: application/json: examples: emptyArrays: summary: Installer payload shape value: prepackagedTimelines: [] timelinesToInstall: [] timelinesToUpdate: [] schema: type: object properties: prepackagedTimelines: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' nullable: true type: array timelinesToInstall: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array timelinesToUpdate: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array required: - timelinesToInstall - timelinesToUpdate - prepackagedTimelines description: The Timelines to install or update. required: true responses: '200': content: application/json: examples: installResult: summary: Install result counts value: errors: [] success: true success_count: 10 timelines_installed: 8 timelines_updated: 2 schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates a successful call. '500': content: application/json: examples: serverError: summary: Server error value: body: Internal error statusCode: 500 schema: type: object properties: body: type: string statusCode: type: number description: Indicates the installation of prepackaged Timelines was unsuccessful. summary: Install prepackaged Timelines tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timeline/resolve: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timeline/resolve
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. operationId: ResolveTimeline parameters: - description: The ID of the template timeline to resolve in: query name: template_timeline_id schema: type: string - description: The ID of the timeline to resolve in: query name: id schema: type: string responses: '200': content: application/json: examples: exactMatch: description: Timeline resolved without alias or conflict summary: Exact match outcome value: outcome: exactMatch timeline: savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e timelineType: default title: Investigation schema: $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' description: Indicates a successful call. '400': content: application/json: examples: badRequest: summary: Bad request value: {} schema: additionalProperties: true type: object description: Bad Request response. '404': content: application/json: examples: notFound: summary: Not found value: {} schema: additionalProperties: true type: object description: The (template) Timeline was not found summary: Resolve a Timeline or Timeline template tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/timelines: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/timelines
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Get a list of all saved Timelines or Timeline templates. operationId: GetTimelines parameters: - description: If `true`, only Timelines that the current user has marked as favorite are returned. in: query name: only_user_favorite schema: enum: - 'true' - 'false' nullable: true type: string - description: Restrict results to `default` investigation timelines or `template` timeline templates. in: query name: timeline_type schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). in: query name: sort_field schema: $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - description: Whether to sort the results `ascending` or `descending` in: query name: sort_order schema: enum: - asc - desc type: string - description: How many results should returned at once in: query name: page_size schema: nullable: true type: string - description: How many pages should be skipped in: query name: page_index schema: nullable: true type: string - description: Allows to search for timelines by their title in: query name: search schema: nullable: true type: string - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). in: query name: status schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true responses: '200': content: application/json: examples: timelineList: summary: Example list response value: customTemplateTimelineCount: 0 defaultTimelineCount: 1 elasticTemplateTimelineCount: 0 favoriteCount: 0 templateTimelineCount: 0 timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e status: active timelineType: default title: Phishing investigation updated: 1741344876825 version: WzE0LDFd totalCount: 1 schema: type: object properties: customTemplateTimelineCount: description: The amount of custom Timeline templates in the results example: 2 type: number defaultTimelineCount: description: The amount of `default` type Timelines in the results example: 90 type: number elasticTemplateTimelineCount: description: The amount of Elastic's Timeline templates in the results example: 8 type: number favoriteCount: description: The amount of favorited Timelines example: 5 type: number templateTimelineCount: description: The amount of Timeline templates in the results example: 10 type: number timeline: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' type: array totalCount: description: The total amount of results example: 100 type: number required: - timeline - totalCount description: Indicates a successful call. '400': content: application/json: examples: badRequest: summary: Error response body value: body: get timeline error statusCode: 400 schema: type: object properties: body: description: The error message. example: get timeline error type: string statusCode: example: 400 type: number description: Bad Request response. summary: Get Timelines or Timeline templates tags: - Security Timeline API x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. operationId: delete-workflows parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. in: query name: force required: false schema: default: false type: boolean requestBody: content: application/json: examples: bulkDeleteWorkflowsRequestExample: description: Example request for deleting multiple workflows value: ids: - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: additionalProperties: false type: object properties: ids: description: Array of workflow IDs to delete. items: description: Workflow ID to delete. type: string maxItems: 1000 type: array required: - ids responses: '200': content: application/json: examples: bulkDeleteWorkflowsResponseExample: description: Example response after deleting multiple workflows value: deleted: 2 failures: [] total: 2 description: Indicates a successful response summary: Bulk delete workflows tags: - workflows x-codeSamples: - label: Soft delete (default) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] }' - label: Hard delete (permanent) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] }' - lang: Console source: | DELETE kbn://api/workflows { "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. operationId: get-workflows parameters: - description: Free-text search query. in: query name: query required: false schema: type: string - description: Number of results per page. in: query name: size required: false schema: minimum: 1 type: number - description: Page number. in: query name: page required: false schema: minimum: 1 type: number - description: Filter by enabled state. in: query name: enabled required: false schema: items: type: boolean maxItems: 2 type: array - description: Filter by creator. in: query name: createdBy required: false schema: items: type: string maxItems: 1000 type: array - description: Filter by tags. in: query name: tags required: false schema: items: type: string maxItems: 1000 type: array responses: '200': content: application/json: examples: getWorkflowsResponseExample: description: Example response returning a paginated list of workflows value: page: 1 results: - createdAt: '2025-11-20T10:30:00.000Z' definition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: true history: - duration: 5000 finishedAt: '2025-11-20T12:00:05.000Z' id: exec-001 startedAt: '2025-11-20T12:00:00.000Z' status: completed workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowName: Example definition id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 name: Example definition tags: - example valid: true size: 20 total: 1 description: Indicates a successful response summary: Get workflows tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows?size=20&page=1 x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. operationId: post-workflows parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Whether to overwrite existing workflows. in: query name: overwrite required: false schema: default: false type: boolean requestBody: content: application/json: examples: bulkCreateWorkflowsRequestExample: description: Example request for creating multiple workflows at once value: workflows: - yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 yaml: | name: Second workflow enabled: false description: Another workflow triggers: - type: manual steps: - name: log_step type: console with: message: "Hello from second workflow" schema: additionalProperties: false type: object properties: workflows: items: type: object properties: id: maxLength: 255 minLength: 3 pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ type: string yaml: maxLength: 1048576 type: string required: - yaml maxItems: 500 type: array required: - workflows responses: '200': content: application/json: examples: bulkCreateWorkflowsResponseExample: description: Example response after creating multiple workflows value: created: - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 name: Example definition - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 name: Second workflow failures: [] total: 2 description: Indicates a successful response summary: Bulk create workflows tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "workflows": [ { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } ] }' - lang: Console source: | POST kbn://api/workflows?overwrite=false { "workflows": [ { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } ] } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/aggs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/aggs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-aggs parameters: - description: Field or fields to aggregate on. in: query name: fields required: true schema: description: Fields to aggregate on. items: description: Field name to aggregate. type: string maxItems: 25 minItems: 1 type: array responses: '200': content: application/json: examples: getAggsResponseExample: description: Example response with tag and createdBy aggregations value: createdBy: - doc_count: 2 key: elastic tags: - doc_count: 1 key: reporting - doc_count: 1 key: security - doc_count: 1 key: triage description: Indicates a successful response summary: Get workflow aggregations tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/aggs?fields=tags&fields=createdBy x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/connectors: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-connectors parameters: [] responses: '200': content: application/json: examples: getConnectorsResponseExample: description: Example response with available connector types and their instances value: connectorTypes: .email: actionTypeId: .email displayName: Email enabled: true enabledInConfig: true enabledInLicense: true instances: [] minimumLicenseRequired: gold subActions: - displayName: Send name: send .slack_api: actionTypeId: .slack_api displayName: Slack enabled: true enabledInConfig: true enabledInLicense: true instances: - id: slack-connector-1 isDeprecated: false isPreconfigured: false name: Team Notifications minimumLicenseRequired: gold subActions: - displayName: Post Message name: postMessage totalConnectors: 1 description: Indicates a successful response summary: Get available connectors tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/connectors" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/connectors x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/executions/{executionId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid parameters: - description: Workflow execution ID in: path name: executionId required: true schema: type: string - description: Include execution input data. in: query name: includeInput required: false schema: default: false type: boolean - description: Include execution output data. in: query name: includeOutput required: false schema: default: false type: boolean responses: '200': content: application/json: examples: getExecutionResponseExample: description: Example response returning a workflow execution with step details value: duration: 3000 executedBy: elastic finishedAt: '2025-11-20T12:00:03.000Z' id: exec-a1b2c3d4-e5f6-7890 input: message: hello world isTestRun: false output: hello world spaceId: default startedAt: '2025-11-20T12:00:00.000Z' status: completed stepExecutions: - executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:02.000Z' globalExecutionIndex: 0 id: step-exec-001 isTestRun: false scopeStack: [] spaceId: default startedAt: '2025-11-20T12:00:01.000Z' status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowRunId: exec-a1b2c3d4-e5f6-7890 triggeredBy: manual workflowDefinition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Get a workflow execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/executions/{executionId}/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. operationId: post-workflows-executions-executionid-cancel parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow execution ID in: path name: executionId required: true schema: type: string responses: '200': description: Indicates a successful response summary: Cancel a workflow execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | POST kbn://api/workflows/executions/{executionId}/cancel x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/executions/{executionId}/children: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}/children
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid-children parameters: - description: Workflow execution ID in: path name: executionId required: true schema: type: string responses: '200': content: application/json: examples: getChildrenExecutionsResponseExample: description: Example response returning child workflow executions spawned by sub-workflow steps value: - executionId: child-exec-001 parentStepExecutionId: step-exec-003 status: completed stepExecutions: - executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:07.000Z' globalExecutionIndex: 0 id: child-step-001 isTestRun: false scopeStack: [] startedAt: '2025-11-20T12:00:06.000Z' status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 workflowRunId: child-exec-001 workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 workflowName: Child Workflow description: Indicates a successful response summary: Get child executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}/children x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/executions/{executionId}/logs: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}/logs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid-logs parameters: - description: Workflow execution ID in: path name: executionId required: true schema: type: string - description: Filter logs by a specific step execution ID. in: query name: stepExecutionId required: false schema: type: string - description: Number of log entries per page. in: query name: size required: false schema: default: 100 maximum: 100 minimum: 1 type: number - description: Page number. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: Field to sort by. in: query name: sortField required: false schema: type: string - description: Sort order. in: query name: sortOrder required: false schema: enum: - asc - desc type: string responses: '200': content: application/json: examples: getExecutionLogsResponseExample: description: Example response returning paginated execution logs value: logs: - additionalData: executionId: exec-a1b2c3d4-e5f6-7890 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 connectorType: console duration: 150 id: log-001 level: info message: Workflow execution started stepId: hello_world_step stepName: Hello World timestamp: '2025-11-20T12:00:01.000Z' - additionalData: executionId: exec-a1b2c3d4-e5f6-7890 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 connectorType: console duration: 200 id: log-002 level: info message: Step completed successfully stepId: hello_world_step stepName: Hello World timestamp: '2025-11-20T12:00:02.000Z' page: 1 size: 100 total: 2 description: Indicates a successful response summary: Get execution logs tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/executions/{executionId}/resume: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/executions/{executionId}/resume
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. operationId: post-workflows-executions-executionid-resume parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow execution ID in: path name: executionId required: true schema: type: string requestBody: content: application/json: examples: resumeExecutionRequestExample: description: Example request to resume a paused workflow execution value: input: approved: true comment: Approved by analyst schema: additionalProperties: false type: object properties: input: additionalProperties: nullable: true description: Input data to resume the execution with. type: object required: - input responses: '200': content: application/json: examples: resumeExecutionResponseExample: description: Example response confirming the resume was scheduled value: executionId: exec-a1b2c3d4-e5f6-7890 message: Workflow resume scheduled success: true description: Indicates a successful response summary: Resume a workflow execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "input": { "approved": true, "comment": "Approved by analyst" } }' - lang: Console source: | POST kbn://api/workflows/executions/{executionId}/resume { "input": { "approved": true, "comment": "Approved by analyst" } } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/executions/{executionId}/step/{stepExecutionId}: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-executions-executionid-step-stepexecutionid parameters: - description: Workflow execution ID. in: path name: executionId required: true schema: type: string - description: Step execution ID. in: path name: stepExecutionId required: true schema: type: string responses: '200': content: application/json: examples: getStepExecutionResponseExample: description: Example response returning a single step execution value: error: null executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:02.000Z' globalExecutionIndex: 0 id: step-exec-001 input: message: hello world isTestRun: false output: hello world scopeStack: [] spaceId: default startedAt: '2025-11-20T12:00:01.000Z' state: null status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowRunId: exec-a1b2c3d4-e5f6-7890 description: Indicates a successful response summary: Get a step execution tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/export: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: post-workflows-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: exportWorkflowsRequestExample: description: Example request to export workflows value: ids: - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 schema: additionalProperties: false type: object properties: ids: description: Array of workflow IDs to export. items: description: Workflow ID to export. maxLength: 255 type: string maxItems: 500 minItems: 1 type: array required: - ids responses: '200': content: application/json: examples: exportWorkflowsResponseExample: description: Workflow entries with YAML content and export manifest value: entries: - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 yaml: |- name: My Workflow steps: - type: http.request with: url: https://example.com - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 yaml: |- name: Another Workflow steps: - type: http.request with: url: https://example.com manifest: exportedAt: '2026-03-26T12:00:00.000Z' exportedCount: 2 version: '1' description: JSON containing exported workflow YAML entries and manifest metadata summary: Export workflows tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/export" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] }' - lang: Console source: | POST kbn://api/workflows/export { "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/mget: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/mget
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: post-workflows-mget parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: mgetWorkflowsRequestExample: description: Example request to retrieve multiple workflows by their IDs value: ids: - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 source: - name - enabled schema: additionalProperties: false type: object properties: ids: description: Array of workflow IDs to look up. items: description: Workflow ID. maxLength: 255 type: string maxItems: 500 minItems: 1 type: array source: description: Array of source fields to include. items: description: Source field. maxLength: 255 type: string maxItems: 10 minItems: 1 type: array required: - ids responses: '200': content: application/json: examples: mgetWorkflowsResponseExample: description: Example response returning the requested workflows with projected fields value: - enabled: true id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 name: Example definition - enabled: false id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 name: Second workflow description: Indicates a successful response summary: Get workflows by IDs tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/mget" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], "source": ["name", "enabled"] }' - lang: Console source: | POST kbn://api/workflows/mget { "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], "source": ["name", "enabled"] } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/schema: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/schema
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-schema parameters: - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. in: query name: loose required: true schema: type: boolean responses: '200': content: application/json: examples: getSchemaResponseExample: description: Example response returning the workflow JSON schema (truncated) value: $schema: http://json-schema.org/draft-07/schema# type: object properties: description: type: string enabled: default: true type: boolean name: minLength: 1 type: string tags: items: type: string type: array version: const: '1' default: '1' description: The version of the workflow schema type: string required: - name - triggers - steps description: Indicates a successful response summary: Get workflow JSON schema tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/schema?loose=false x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/stats: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/stats
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. operationId: get-workflows-stats parameters: [] responses: '200': content: application/json: examples: getStatsResponseExample: description: Example response with workflow counts and 30-day execution history value: executions: - cancelled: 1 completed: 45 date: '2025-11-20' failed: 2 timestamp: '2025-11-20T00:00:00.000Z' - cancelled: 0 completed: 50 date: '2025-11-21' failed: 0 timestamp: '2025-11-21T00:00:00.000Z' workflows: disabled: 3 enabled: 12 description: Indicates a successful response summary: Get workflow statistics tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/stats" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/stats x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/step/test: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/step/test
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. operationId: post-workflows-step-test parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: testStepRequestExample: description: Example request to test a single workflow step value: contextOverride: inputs: message: override message stepId: hello_world_step workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowYaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: contextOverride: additionalProperties: nullable: true description: Context overrides for the step execution. type: object executionContext: additionalProperties: nullable: true description: Execution context for the step execution. type: object stepId: description: ID of the step to test. type: string workflowId: description: ID of the workflow containing the step. type: string workflowYaml: description: YAML definition of the workflow containing the step. type: string required: - stepId - contextOverride - workflowYaml responses: '200': content: application/json: examples: testStepResponseExample: description: Example response returning the step test execution ID value: workflowExecutionId: step-test-exec-a1b2c3d4 description: Indicates a successful response summary: Test a workflow step tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/step/test" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "stepId": "hello_world_step", "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", "contextOverride": { "inputs": { "message": "override message" } } }' - lang: Console source: | POST kbn://api/workflows/step/test { "stepId": "hello_world_step", "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", "contextOverride": { "inputs": { "message": "override message" } } } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/test: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/test
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. operationId: post-workflows-test parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: testWorkflowByIdRequestExample: description: Example request to test a saved workflow by its ID value: inputs: message: test message workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 testWorkflowByYamlRequestExample: description: Example request to test an unsaved workflow YAML draft value: inputs: message: test message workflowYaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: inputs: additionalProperties: nullable: true description: Key-value inputs for the test execution. type: object workflowId: description: ID of an existing workflow to test. type: string workflowYaml: description: YAML definition to test. type: string required: - inputs responses: '200': content: application/json: examples: testWorkflowResponseExample: description: Example response returning the test execution ID value: workflowExecutionId: test-exec-a1b2c3d4-e5f6 description: Indicates a successful response summary: Test a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/test" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "inputs": { "message": "test message" } }' - lang: Console source: | POST kbn://api/workflows/test { "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "inputs": { "message": "test message" } } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/workflow: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. operationId: post-workflows-workflow parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: createWorkflowRequestExample: description: Example request for creating a workflow from a YAML definition value: yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" createWorkflowWithIdRequestExample: description: Example request for creating a workflow with a custom ID value: id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: id: maxLength: 255 minLength: 3 pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ type: string yaml: maxLength: 1048576 type: string required: - yaml responses: '200': content: application/json: examples: createWorkflowResponseExample: description: Example response returning the created workflow value: createdAt: '2025-11-20T10:30:00.000Z' createdBy: elastic definition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: true id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 lastUpdatedAt: '2025-11-20T10:30:00.000Z' lastUpdatedBy: elastic name: Example definition valid: true yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Create a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }' - lang: Console source: | POST kbn://api/workflows/workflow { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/workflow/{id}: delete: description: |- **Spaces method and path for this operation:**
delete /s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. operationId: delete-workflows-workflow-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. in: query name: force required: false schema: default: false type: boolean responses: '200': description: Indicates a successful response summary: Delete a workflow tags: - workflows x-codeSamples: - label: Soft delete (default) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - label: Hard delete (permanent) lang: curl source: | curl \ -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | DELETE kbn://api/workflows/workflow/{id} x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. operationId: get-workflows-workflow-id parameters: - description: Workflow ID in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getWorkflowResponseExample: description: Example response returning a single workflow value: createdAt: '2025-11-20T10:30:00.000Z' createdBy: elastic definition: description: This is a workflow example enabled: true inputs: - default: hello world name: message type: string name: Example definition steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: true id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 lastUpdatedAt: '2025-11-21T14:00:00.000Z' lastUpdatedBy: elastic name: Example definition valid: true yaml: | name: Example definition enabled: true description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Get a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/workflow/{id} x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: |- **Spaces method and path for this operation:**
put /s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. operationId: put-workflows-workflow-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string requestBody: content: application/json: examples: updateWorkflowEnableExample: description: Example request to enable a workflow and update its tags value: enabled: true tags: - production updateWorkflowFullExample: description: Example request to update multiple workflow fields value: description: Updated workflow description enabled: true name: Updated example tags: - example - updated yaml: | name: Updated example enabled: true description: Updated workflow description triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" schema: additionalProperties: false type: object properties: description: type: string enabled: type: boolean name: type: string tags: items: type: string type: array yaml: type: string responses: '200': content: application/json: examples: updateWorkflowResponseExample: description: Example response returning the updated workflow value: enabled: false id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 lastUpdatedAt: '2026-03-23T13:38:59.568Z' lastUpdatedBy: elastic valid: true validationErrors: [] description: Indicates a successful response summary: Update a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "enabled": true, "tags": ["production"] }' - lang: Console source: | PUT kbn://api/workflows/workflow/{id} { "enabled": true, "tags": ["production"] } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/workflow/{id}/clone: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow/{id}/clone
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. operationId: post-workflows-workflow-id-clone parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: cloneWorkflowResponseExample: description: Example response returning the cloned workflow with a new ID value: createdAt: '2025-11-22T11:00:00.000Z' createdBy: elastic definition: description: This is a workflow example enabled: false inputs: - default: hello world name: message type: string name: Example definition (copy) steps: - name: hello_world_step type: console with: message: '{{ inputs.message }}' triggers: - type: manual description: This is a workflow example enabled: false id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 lastUpdatedAt: '2025-11-22T11:00:00.000Z' lastUpdatedBy: elastic name: Example definition (copy) valid: true yaml: | name: Example definition (copy) enabled: false description: This is a workflow example triggers: - type: manual inputs: - name: message type: string default: "hello world" steps: - name: hello_world_step type: console with: message: "{{ inputs.message }}" description: Indicates a successful response summary: Clone a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | POST kbn://api/workflows/workflow/{id}/clone x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/workflow/{id}/run: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow/{id}/run
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. operationId: post-workflows-workflow-id-run parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: id required: true schema: type: string requestBody: content: application/json: examples: runWorkflowRequestExample: description: Example request to execute a workflow with inputs value: inputs: message: hello from the API schema: additionalProperties: false type: object properties: inputs: additionalProperties: nullable: true description: Key-value inputs for the workflow execution. type: object metadata: additionalProperties: nullable: true description: Optional metadata for the execution. type: object required: - inputs responses: '200': content: application/json: examples: runWorkflowResponseExample: description: Example response returning the execution ID value: workflowExecutionId: exec-a1b2c3d4-e5f6-7890 description: Indicates a successful response summary: Run a workflow tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" \ -H "Content-Type: application/json" \ -d '{ "inputs": { "message": "hello from the API" } }' - lang: Console source: | POST kbn://api/workflows/workflow/{id}/run { "inputs": { "message": "hello from the API" } } x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/workflow/{workflowId}/executions: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-workflow-workflowid-executions parameters: - description: Workflow ID in: path name: workflowId required: true schema: type: string - description: Filter by execution status. in: query name: statuses required: false schema: items: enum: - pending - waiting - waiting_for_input - running - completed - failed - cancelled - timed_out - skipped type: string maxItems: 9 type: array - description: Filter by execution type. in: query name: executionTypes required: false schema: items: enum: - test - production type: string maxItems: 2 type: array - description: Filter by the user who triggered the execution. in: query name: executedBy required: false schema: items: type: string maxItems: 100 type: array - description: Whether to exclude step-level execution data. in: query name: omitStepRuns required: false schema: type: boolean - description: Page number. in: query name: page required: false schema: minimum: 1 type: number - description: Number of results per page. in: query name: size required: false schema: maximum: 100 minimum: 1 type: number responses: '200': content: application/json: examples: getWorkflowExecutionsResponseExample: description: Example response returning a paginated list of executions for a workflow value: page: 1 results: - duration: 3000 error: null executedBy: elastic finishedAt: '2025-11-20T12:00:03.000Z' id: exec-001 isTestRun: false spaceId: default startedAt: '2025-11-20T12:00:00.000Z' status: completed triggeredBy: manual workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 - duration: 2000 error: message: Step 'hello_world_step' failed executedBy: elastic finishedAt: '2025-11-20T13:00:02.000Z' id: exec-002 isTestRun: false spaceId: default startedAt: '2025-11-20T13:00:00.000Z' status: failed triggeredBy: manual workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 size: 20 total: 2 description: Indicates a successful response summary: Get workflow executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20 x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/workflow/{workflowId}/executions/cancel: post: description: |- **Spaces method and path for this operation:**
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. operationId: post-workflows-workflow-workflowid-executions-cancel parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Workflow ID in: path name: workflowId required: true schema: type: string responses: '200': description: Indicates a successful response summary: Cancel all active workflow executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ -H "Authorization: ApiKey ${API_KEY}" \ -H "kbn-xsrf: true" - lang: Console source: | POST kbn://api/workflows/workflow/{workflowId}/executions/cancel x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /api/workflows/workflow/{workflowId}/executions/steps: get: description: |- **Spaces method and path for this operation:**
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. operationId: get-workflows-workflow-workflowid-executions-steps parameters: - description: Workflow ID in: path name: workflowId required: true schema: type: string - description: Filter by step ID. in: query name: stepId required: false schema: type: string - description: Include step input data. in: query name: includeInput required: false schema: type: boolean - description: Include step output data. in: query name: includeOutput required: false schema: type: boolean - description: Page number for pagination. in: query name: page required: false schema: minimum: 1 type: number - description: Number of results per page. in: query name: size required: false schema: maximum: 100 minimum: 1 type: number responses: '200': content: application/json: examples: getWorkflowStepExecutionsResponseExample: description: Example response returning step execution records for a workflow value: results: - executionTimeMs: 1000 finishedAt: '2025-11-20T12:00:02.000Z' globalExecutionIndex: 0 id: step-exec-001 input: message: hello world isTestRun: false scopeStack: [] spaceId: default startedAt: '2025-11-20T12:00:01.000Z' status: completed stepExecutionIndex: 0 stepId: hello_world_step stepType: console topologicalIndex: 0 workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 workflowRunId: exec-001 total: 1 description: Indicates a successful response summary: Get workflow step executions tags: - workflows x-codeSamples: - lang: curl source: | curl \ -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ -H "Authorization: ApiKey ${API_KEY}" - lang: Console source: | GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos: get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: A valid kql query to filter the SLO with example: 'slo.name:latency* and slo.tags : "prod"' in: query name: kqlQuery schema: type: string - description: The page size to use for cursor-based pagination, must be greater or equal than 1 example: 1 in: query name: size schema: default: 1 type: integer - description: The cursor to use for fetching the results from, when using a cursor-base pagination. in: query name: searchAfter schema: items: type: string type: array - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page schema: default: 1 type: integer - description: Number of SLOs returned by page example: 25 in: query name: perPage schema: default: 25 maximum: 5000 type: integer - description: Sort by field example: status in: query name: sortBy schema: default: status enum: - sli_value - status - error_budget_consumed - error_budget_remaining type: string - description: Sort order example: asc in: query name: sortDirection schema: default: asc enum: - asc - desc type: string - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query name: hideStale schema: type: boolean responses: '200': content: application/json: examples: findSloResponse: summary: A paginated list of SLOs value: page: 1 perPage: 25 results: - budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom instanceId: '*' name: My Service Availability objective: target: 0.99 revision: 1 settings: frequency: 5m syncDelay: 5m summary: errorBudget: consumed: 0.17 initial: 0.01 isEstimated: false remaining: 0.83 sliValue: 0.9983 status: HEALTHY tags: - production - web-service timeWindow: duration: 30d type: rolling updatedAt: '2025-01-12T10:03:19.000Z' version: 2 total: 42 schema: $ref: '#/components/schemas/SLOs_find_slo_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''invalid'' supplied to: sortBy' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get a paginated list of SLOs tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name post: description: | You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: createSloKqlExample: summary: Create an SLO with a KQL indicator value: budgetingMethod: occurrences description: Availability of my web service measured by successful HTTP responses indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom name: My Service Availability objective: target: 0.99 settings: frequency: 5m syncDelay: 5m tags: - production - web-service timeWindow: duration: 30d type: rolling schema: $ref: '#/components/schemas/SLOs_create_slo_request' required: true responses: '200': content: application/json: examples: createSloResponse: summary: Create SLO response value: id: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: $ref: '#/components/schemas/SLOs_create_slo_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: indicator/type' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '409': content: application/json: examples: conflictExample: summary: Conflict value: error: Conflict message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists statusCode: 409 schema: $ref: '#/components/schemas/SLOs_409_response' description: Conflict - The SLO id already exists summary: Create an SLO tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete: post: description: | Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. operationId: bulkDeleteOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: bulkDeleteRequest: summary: Bulk delete two SLOs value: list: - 8853df00-ae2e-11ed-90af-09bb6422b258 - d077e940-1515-11ee-9c50-9d096392f520 schema: $ref: '#/components/schemas/SLOs_bulk_delete_request' required: true responses: '200': content: application/json: examples: bulkDeleteResponse: summary: Bulk delete response with task ID value: taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 schema: $ref: '#/components/schemas/SLOs_bulk_delete_response' description: Successful response '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: list' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: description: | Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. operationId: bulkDeleteStatusOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: The task id of the bulk delete operation in: path name: taskId required: true schema: example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string responses: '200': content: application/json: examples: bulkDeleteStatusComplete: summary: Completed bulk deletion value: isDone: true results: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 success: true - id: d077e940-1515-11ee-9c50-9d096392f520 success: true bulkDeleteStatusPartialFailure: summary: Completed with partial failure value: isDone: true results: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 success: true - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found id: d077e940-1515-11ee-9c50-9d096392f520 success: false schema: $ref: '#/components/schemas/SLOs_bulk_delete_status_response' description: Successful response '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: taskId' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Retrieve the status of the bulk deletion tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: description: | The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteRollupDataOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: purgeByAgeExample: summary: Purge rollup data older than 7 days value: list: - 8853df00-ae2e-11ed-90af-09bb6422b258 purgePolicy: age: 7d purgeType: fixed-age purgeByTimestampExample: summary: Purge rollup data before a specific date value: list: - 8853df00-ae2e-11ed-90af-09bb6422b258 - d077e940-1515-11ee-9c50-9d096392f520 purgePolicy: purgeType: fixed-time timestamp: '2024-12-31T00:00:00.000Z' schema: $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' required: true responses: '200': content: application/json: examples: bulkPurgeResponse: summary: Bulk purge response with task ID value: taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Batch delete rollup and summary data tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/_delete_instances: post: description: | The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: deleteInstancesExample: summary: Delete specific SLO instances value: list: - instanceId: host-abc123 sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - instanceId: host-def456 sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: $ref: '#/components/schemas/SLOs_delete_slo_instances_request' required: true responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: list/0/sloId' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Batch delete rollup and summary data tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/{sloId}: delete: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Delete an SLO tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' - description: the specific instanceId used by the summary calculation example: host-abcde in: query name: instanceId schema: type: string responses: '200': content: application/json: examples: getSloResponse: summary: Get SLO response value: budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom instanceId: '*' name: My Service Availability objective: target: 0.99 revision: 1 settings: frequency: 5m syncDelay: 5m summary: errorBudget: consumed: 0.17 initial: 0.01 isEstimated: false remaining: 0.83 sliValue: 0.9983 status: HEALTHY tags: - production - web-service timeWindow: duration: 30d type: rolling updatedAt: '2025-01-12T10:03:19.000Z' version: 2 schema: $ref: '#/components/schemas/SLOs_slo_with_summary_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get an SLO tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name put: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' requestBody: content: application/json: examples: updateSloNameExample: summary: Update the SLO name and tags value: name: Updated Service Availability tags: - production - updated updateSloObjectiveExample: summary: Update the SLO objective value: objective: target: 0.995 schema: $ref: '#/components/schemas/SLOs_update_slo_request' required: true responses: '200': content: application/json: examples: updateSloResponse: summary: Update SLO response value: budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom name: Updated Service Availability objective: target: 0.99 revision: 2 settings: frequency: 5m syncDelay: 5m tags: - production - updated timeWindow: duration: 30d type: rolling updatedAt: '2025-03-26T14:30:00.000Z' version: 2 schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: indicator/type' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Update an SLO tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '200': content: application/json: examples: resetSloResponse: summary: Reset SLO response value: budgetingMethod: occurrences createdAt: '2025-01-12T10:03:19.000Z' description: Availability of my web service enabled: true groupBy: '*' id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' total: 'request.status_code : *' type: sli.kql.custom name: My Service Availability objective: target: 0.99 revision: 2 settings: frequency: 5m syncDelay: 5m tags: - production - web-service timeWindow: duration: 30d type: rolling updatedAt: '2025-03-26T14:30:00.000Z' version: 2 schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Reset an SLO tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/{sloId}/disable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Disable an SLO tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/api/observability/slos/{sloId}/enable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: examples: badRequestExample: summary: Bad request value: error: Bad Request message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: examples: unauthorizedExample: summary: Unauthorized value: error: Unauthorized message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: examples: forbiddenExample: summary: Forbidden value: error: Forbidden message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response '404': content: application/json: examples: notFoundExample: summary: Not found value: error: Not Found message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found statusCode: 404 schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Enable an SLO tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name /s/{spaceId}/internal/observability/slos/_definitions: get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getDefinitionsOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: Indicates if the API returns only outdated SLO or all SLO definitions in: query name: includeOutdatedOnly schema: type: boolean - description: Indicates if the API returns SLO health data with definitions example: true in: query name: includeHealth schema: type: boolean - description: Filters the SLOs by tag in: query name: tags schema: type: string - description: Filters the SLOs by name example: my service availability in: query name: search schema: type: string - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page schema: type: number - description: Number of SLOs returned by page example: 100 in: query name: perPage schema: default: 100 maximum: 1000 type: integer responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_find_slo_definitions_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response summary: Get the SLO definitions tags: - slo x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name components: examples: APM_UI_agent_configuration_environments_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. value: environments: - alreadyConfigured: true name: production - alreadyConfigured: false name: development - alreadyConfigured: false name: ALL_OPTION_VALUE APM_UI_agent_configuration_intake_object_delete_200_response1: description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. value: result: deleted APM_UI_agent_configuration_intake_object_delete_request1: description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. value: service: environment: production name: frontend APM_UI_agent_configuration_intake_object_get_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. value: - '@timestamp': 1581934104843 agent_name: go applied_by_agent: false etag: 1e58c178efeebae15c25c539da740d21dee422fc service: environment: production name: opbeans-go settings: capture_body: 'off' transaction_max_spans: '200' transaction_sample_rate: '1' - '@timestamp': 1581934111727 agent_name: go applied_by_agent: false etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 service: name: opbeans-go settings: capture_body: 'off' transaction_max_spans: '300' transaction_sample_rate: '1' - '@timestamp': 1582031336265 agent_name: nodejs applied_by_agent: false etag: 5080ed25785b7b19f32713681e79f46996801a5b service: name: frontend settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_put_200_response1: description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. value: {} APM_UI_agent_configuration_intake_object_put_request1: description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. value: agent_name: nodejs service: environment: production name: frontend settings: capture_body: 'off' transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_configuration_intake_object_search_200_response1: description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. value: _id: CIaqXXABmQCdPphWj8EJ _index: .apm-agent-configuration _score: 2 _source: '@timestamp': 1582031336265 agent_name: nodejs applied_by_agent: false etag: 5080ed25785b7b19f32713681e79f46996801a5b service: name: frontend settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_search_request1: description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. value: etag: 1e58c178efeebae15c25c539da740d21dee422fc service: environment: production name: frontend APM_UI_agent_configuration_intake_object_view_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. value: '@timestamp': 1582031336265 agent_name: nodejs applied_by_agent: true etag: 5080ed25785b7b19f32713681e79f46996801a5b id: CIaqXXABmQCdPphWj8EJ service: environment: production name: frontend settings: capture_body: 'off' transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_keys_object_post_200_response1: description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. value: agentKey: api_key: PjGloCGOTzaZr8ilUPvkjA encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== id: 3DCLmn0B3ZMhLUa7WBG9 name: apm-key APM_UI_agent_keys_object_post_request1: description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. value: name: apm-key privileges: - event:write - config_agent:read APM_UI_annotation_object_post_200_response1: description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. value: _id: Lc9I93EBh6DbmkeV7nFX _index: observability-annotations _primary_term: 1 _seq_no: 12 _source: '@timestamp': '2020-05-08T10:31:30.452Z' annotation: type: deployment event: created: '2020-05-09T02:34:43.937Z' message: Deployment 1.2 service: name: opbeans-java version: '1.2' tags: - apm - elastic.co - customer _version: 1 found: true APM_UI_annotation_object_post_request1: description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. value: '@timestamp': '2024-01-15T12:00:00.000Z' message: Deployment 1.2.0 service: environment: production version: 1.2.0 tags: - apm - deployment APM_UI_annotation_search_get_200_response1: description: An example of a successful response from `GET /api/apm/services/{serviceName}/annotation/search`, which returns the annotations associated with a service over the given time range. value: annotations: - '@timestamp': 1735689600000 id: opbeans-node@2.0.0 text: opbeans-node@2.0.0 type: version - '@timestamp': 1736294400000 id: opbeans-node@2.1.0 text: opbeans-node@2.1.0 type: version APM_UI_error_400_response: description: An example of a 400 Bad Request response, returned when the request payload or query parameters fail validation. value: error: Bad Request message: '[request body]: expected value of type [string] but got [undefined]' statusCode: 400 APM_UI_error_401_response: description: An example of a 401 Unauthorized response, returned when the request is missing valid authentication credentials. value: error: Unauthorized message: '[security_exception]: missing authentication credentials for REST request' statusCode: 401 APM_UI_error_403_response: description: An example of a 403 Forbidden response, returned when the authenticated user lacks the required APM and User Experience privileges. value: error: Forbidden message: Insufficient privileges to perform this action. The APM and User Experience feature requires `all` privileges. statusCode: 403 APM_UI_error_404_response: description: An example of a 404 Not Found response, returned when the requested resource does not exist or the feature is not available on the current deployment. value: error: Not Found message: Not Found statusCode: 404 APM_UI_error_500_response: description: An example of a 500 Internal Server Error response, returned when an unexpected error occurs while processing the request. value: error: Internal Server Error message: An internal server error occurred. Check the Kibana server logs for details. statusCode: 500 APM_UI_error_501_response: description: An example of a 501 Not Implemented response, returned when the source map feature is not available on the current deployment. value: error: Not Implemented message: Not Implemented statusCode: 501 APM_UI_fleet_apm_server_schema_200_response1: description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. value: {} APM_UI_service_agent_name_get_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration/agent_name`, which returns the detected APM agent name for a service. value: agentName: nodejs APM_UI_source_maps_delete_200_response1: description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. value: {} APM_UI_source_maps_get_200_response1: description: A successful response from `GET /api/apm/sourcemaps`. value: artifacts: - body: bundleFilepath: /test/e2e/general-usecase/bundle.js serviceName: foo serviceVersion: 1.0.0 sourceMap: file: static/js/main.chunk.js mappings: mapping sourceRoot: '' sources: - fleet-source-map-client/src/index.css - fleet-source-map-client/src/App.js - webpack:///./src/index.css?bb0a - fleet-source-map-client/src/index.js - fleet-source-map-client/src/reportWebVitals.js sourcesContent: - content version: 3 compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 decodedSize: 441 encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_200_response1: description: A successful response from `POST /api/apm/sourcemaps`. value: body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 decodedSize: 441 encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_request1: description: | An example of a multipart/form-data request body for `POST /api/apm/sourcemaps`. Each field is a separate form part; `sourcemap` is the source map file content (typically uploaded as a file). value: bundle_filepath: /test/e2e/general-usecase/bundle.js.map service_name: opbeans-node service_version: 1.0.0 sourcemap: '{"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log(''hello'');"]}' Data_views_create_data_view_request: description: Create a data view for logstash indices that includes a runtime field which extracts the shape name from a source field. summary: Create a data view with runtime fields. value: data_view: name: My Logstash data view runtimeFieldMap: runtime_shape_name: script: source: emit(doc['shape_name'].value) type: keyword title: logstash-* Data_views_create_data_view_response: description: The response includes the full data view specification, including auto-generated fields such as the unique identifier and version. summary: The create data view API returns a JSON object that contains details about the new data view. value: data_view: allowNoIndex: false fieldAttrs: {} fieldFormats: {} fields: runtime_shape_name: aggregatable: true count: 0 esTypes: - keyword format: id: string name: runtime_shape_name readFromDocValues: false runtimeField: script: source: emit(doc['shape_name'].value) type: keyword scripted: false searchable: true shortDotsEnable: false type: string id: b561acfb-0181-455e-84a3-ce8980b2272f name: My Logstash data view namespaces: - default runtimeFieldMap: runtime_shape_name: script: source: emit(doc['shape_name'].value) type: keyword sourceFilters: [] title: logstash-* typeMeta: {} version: WzQ5LDJd Data_views_create_runtime_field_request: description: Create a long-type runtime field that emits a value derived from the foo source field. summary: Create a runtime field. value: name: runtimeFoo runtimeField: script: source: emit(doc["foo"].value) type: long Data_views_create_runtime_field_response: description: The response includes the newly created runtime field as an array and the full updated data view object. summary: The API returns created runtime field object array and updated data view object. value: data_view: ...: null fields: - ... Data_views_error_400_response: description: The request was rejected because the payload or query parameters are missing required fields or contain invalid values. summary: A bad request response. value: error: Bad Request message: '[request body.data_view.title]: expected value of type [string] but got [undefined]' statusCode: 400 Data_views_error_404_response: description: The requested data view or runtime field was not found in the current Kibana space. summary: A not found response. value: error: Not Found message: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found statusCode: 404 Data_views_get_data_view_response: description: A complete data view object including all fields, runtime fields, and metadata. summary: The get data view API returns a JSON object that contains information about the data view. value: data_view: allowNoIndex: false fieldAttrs: products.manufacturer: count: 1 products.price: count: 1 products.product_name: count: 1 total_quantity: count: 1 fieldFormats: products.base_price: id: number params: pattern: $0,0.00 products.base_unit_price: id: number params: pattern: $0,0.00 products.min_price: id: number params: pattern: $0,0.00 products.price: id: number params: pattern: $0,0.00 products.taxful_price: id: number params: pattern: $0,0.00 products.taxless_price: id: number params: pattern: $0,0.00 taxful_total_price: id: number params: pattern: $0,0.[00] taxless_total_price: id: number params: pattern: $0,0.00 fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: category type: string currency: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: currency readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_birth_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: customer_birth_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date customer_first_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_first_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_first_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_first_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_first_name type: string customer_full_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_full_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_full_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_full_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_full_name type: string customer_gender: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_gender readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_last_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_last_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_last_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_last_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_last_name type: string customer_phone: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_phone readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: day_of_week readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week_i: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: day_of_week_i readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number email: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: email readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string event.dataset: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: event.dataset readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.city_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.city_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.continent_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.continent_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.country_iso_code: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.country_iso_code readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.location: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: geoip.location readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point geoip.region_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.region_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string manufacturer: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: manufacturer type: string order_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: order_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date order_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: order_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products._id: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products._id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products._id.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products._id.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products._id type: string products.base_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.base_unit_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_unit_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products.category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.category type: string products.created_on: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: products.created_on readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date products.discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.discount_percentage: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_percentage readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.manufacturer: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.manufacturer type: string products.min_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.min_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.price: aggregatable: true count: 1 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_id: aggregatable: true count: 0 esTypes: - long format: id: number isMapped: true name: products.product_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_name: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.product_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.product_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.product_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.product_name type: string products.quantity: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: products.quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products.tax_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.tax_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxful_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxful_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxless_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxless_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.unit_discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.unit_discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string taxful_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.[00] isMapped: true name: taxful_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number taxless_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: taxless_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_quantity: aggregatable: true count: 1 esTypes: - integer format: id: number isMapped: true name: total_quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_unique_products: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: total_unique_products readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number type: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: type readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string user: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: user readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default runtimeFieldMap: {} sourceFilters: [] timeFieldName: order_date title: kibana_sample_data_ecommerce typeMeta: {} version: WzUsMV0= Data_views_get_data_views_response: description: A list of available data views including their identifiers, names, and index patterns. summary: The get all data views API returns a list of data views. value: data_view: - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default title: kibana_sample_data_ecommerce typeMeta: {} - id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights namespaces: - default title: kibana_sample_data_flights - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: Kibana Sample Data Logs namespaces: - default title: kibana_sample_data_logs Data_views_get_default_data_view_response: description: The identifier of the default data view for the current Kibana space. summary: The get default data view API returns the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: description: The runtime field definition along with the parent data view. summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false fieldAttrs: {} fieldFormats: AvgTicketPrice: id: number params: pattern: $0,0.[00] hour_of_day: id: number params: pattern: '00' fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source AvgTicketPrice: aggregatable: true count: 0 esTypes: - float format: id: number params: pattern: $0,0.[00] isMapped: true name: AvgTicketPrice readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Cancelled: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: Cancelled readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean Carrier: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Carrier readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string dayOfWeek: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: dayOfWeek readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Dest: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Dest readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: DestLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point DestRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DistanceKilometers: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceKilometers readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number DistanceMiles: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceMiles readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelay: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: FlightDelay readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean FlightDelayMin: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: FlightDelayMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelayType: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightDelayType readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightNum: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightNum readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeHour: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightTimeHour readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeMin: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: FlightTimeMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number hour_of_day: aggregatable: true count: 0 esTypes: - long format: id: number params: pattern: '00' name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Origin: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Origin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: OriginLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point OriginRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string timestamp: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: timestamp readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights runtimeFieldMap: hour_of_day: script: source: emit(doc['timestamp'].value.getHour()); type: long sourceFilters: [] timeFieldName: timestamp title: kibana_sample_data_flights version: WzM2LDJd fields: - aggregatable: true count: 0 esTypes: - long name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Data_views_preview_swap_data_view_request: description: Preview the saved objects that would be affected by swapping references from one data view to another. summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". value: fromId: abcd-efg toId: xyz-123 Data_views_preview_swap_data_view_response: description: The result array lists every saved object that references the source data view. No saved objects are modified by the preview endpoint. summary: A preview of saved objects that would be affected by a data view swap. value: result: - id: 8963ca30-bca7-11e8-aa00-0123456789ab type: visualization - id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b type: dashboard Data_views_set_default_data_view_request: description: Set the default data view, using the force flag to overwrite an existing default. summary: Set the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_set_default_data_view_response: description: The acknowledged flag confirms that the default data view for the current Kibana space was updated. summary: The default data view was set successfully. value: acknowledged: true Data_views_swap_data_view_request: description: Swap all saved object references from one data view to another and delete the source data view afterward. summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. value: delete: true fromId: abcd-efg toId: xyz-123 Data_views_swap_data_view_response: description: The list of saved objects whose references were updated, along with the delete status of the source. summary: The swap references API returns a list of the affected saved objects. value: deleteStatus: deletePerformed: true remainingRefs: 0 result: - id: '123' type: visualization Data_views_update_data_view_request: description: Update the title, time field, and other properties of an existing data view. summary: Update some properties for a data view. value: data_view: allowNoIndex: false name: Kibana Sample Data eCommerce timeFieldName: order_date title: kibana_sample_data_ecommerce refresh_fields: true Data_views_update_field_metadata_request: description: Update the popularity count, custom label, and custom description for specific fields in a data view. summary: Update metadata for multiple fields. value: fields: field1: count: 123 customLabel: Field 1 label field2: customDescription: Field 2 description customLabel: Field 2 label Data_views_update_field_metadata_response: description: The acknowledged flag confirms that the field metadata changes were applied to the data view. summary: Field metadata was updated successfully. value: acknowledged: true Data_views_update_runtime_field_request: description: Update the script of an existing runtime field. summary: Update an existing runtime field on a data view. value: runtimeField: script: source: emit(doc["bar"].value) Machine_learning_APIs_mlSync401Example: summary: Two anomaly detection jobs required synchronization in this example. value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" statusCode: 401 Machine_learning_APIs_mlSyncExample: summary: Two anomaly detection jobs required synchronization in this example. value: datafeedsAdded: {} datafeedsRemoved: {} savedObjectsCreated: anomaly-detector: myjob1: success: true myjob2: success: true savedObjectsDeleted: {} Observability_AI_Assistant_API_ChatCompleteRequestExample: summary: Example of completing a chat interaction value: | { "connectorId": "", "disableFunctions": false, "messages": [ { "@timestamp": "2025-06-25T23:45:00.000Z", "message": { "role": "user", "content": "Is my Elasticsearch cluster healthy right now?" } } ], "persist": false, "actions": [ { "name": "get_cluster_health", "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", "parameters": { "type": "object", "properties": { "includeShardStats": { "type": "boolean", "default": false } } } } ], "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] } Observability_AI_Assistant_API_ChatCompleteResponseExample: summary: Get a chat completion from the Observability AI Assistant value: | data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} data: [DONE] Security_Detections_API_SetAlertAssigneesBodyAdd: value: assignees: add: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 remove: [] ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 Security_Detections_API_SetAlertAssigneesBodyRemove: value: assignees: add: [] remove: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 Security_Detections_API_SetAlertTagsBodyAdd: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: - Duplicate tags_to_remove: [] Security_Detections_API_SetAlertTagsBodyRemove: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: [] tags_to_remove: - Duplicate Task_manager_health_Serverless_APIs_health_200response_serverless: description: A successful response from `GET api/task_manager/_health`. value: |- { "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", "timestamp": "2025-03-21T21:49:50.409Z", "status": "OK", "last_update": "2025-03-21T21:48:53.996Z", "stats": { "configuration": { "timestamp": "2025-03-21T21:47:51.663Z", "value": { "request_capacity": 1000, "monitored_aggregated_stats_refresh_rate": 60000, "monitored_stats_running_average_window": 50, "monitored_task_execution_thresholds": { "custom": {}, "default": { "error_threshold": 90, "warn_threshold": 80 } }, "claim_strategy": "mget", "poll_interval": 500, "capacity": { "config": 10, "as_workers": 10, "as_cost": 20 } }, "status": "OK" }, "workload": { "timestamp": "2025-03-21T21:48:53.996Z", "value": { "count": 21, "cost": 42, "task_types": { "Fleet-Metrics-Task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Logger": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Sender": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "ML:saved-objects-sync": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "actions:connector_usage_reporting": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "actions_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_health_check": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerts_invalidate_api_keys": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "cases-telemetry-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "dashboard_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:automatic-agent-upgrade-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:check-deleted-files-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:delete-unenrolled-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:sync-integrations-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:unenroll-inactive-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:upgrade-agentless-deployments-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "session_cleanup": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:delete_inactive_background_task_nodes": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:mark_removed_tasks_as_unrecognized": { "count": 1, "cost": 2, "status": { "idle": 1 } } }, "non_recurring": 1, "non_recurring_cost": 2, "schedule": [ [ "1m", 2 ], [ "5m", 2 ], [ "10m", 1 ], [ "15m", 1 ], [ "30m", 1 ], [ "1h", 5 ], [ "3600s", 1 ], [ "60m", 1 ], [ "720m", 1 ], [ "1d", 4 ], [ "1440m", 1 ] ], "overdue": 0, "overdue_cost": 0, "overdue_non_recurring": 0, "estimated_schedule_density": [ 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ], "capacity_requirements": { "per_minute": 2, "per_hour": 43, "per_day": 7 } }, "status": "OK" } } } get_connector_types_generativeai_response: summary: A list of connector types for the `generativeAI` feature. value: - id: .gen-ai name: OpenAI enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .bedrock name: AWS Bedrock enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .gemini name: Google Gemini enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity is_system_action_type: false get_connector_response: summary: Get connector details. value: id: df770e30-8b8b-11ed-a780-3b746c987a81 name: my_server_log_connector config: {} connector_type_id: .server-log is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false update_index_connector_request: summary: Update an index connector. value: name: updated-connector config: index: updated-index create_email_connector_request: summary: Create an email connector. value: name: email-connector-1 connector_type_id: .email config: from: tester@example.com hasAuth: true host: https://example.com port: 1025 secure: false service: other secrets: user: username password: password create_index_connector_request: summary: Create an index connector. value: name: my-connector connector_type_id: .index config: index: test-index create_webhook_connector_request: summary: Create a webhook connector with SSL authentication. value: name: my-webhook-connector connector_type_id: .webhook config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key secrets: crt: QmFnIEF0dH... key: LS0tLS1CRUdJ... password: my-passphrase create_xmatters_connector_request: summary: Create an xMatters connector with URL authentication. value: name: my-xmatters-connector connector_type_id: .xmatters config: usesBasic: false secrets: secretsUrl: https://example.com?apiKey=xxxxx create_email_connector_response: summary: A new email connector. value: id: 90a82c60-478f-11ee-a343-f98a117c727f connector_type_id: .email name: email-connector-1 config: from: tester@example.com service: other host: https://example.com port: 1025 secure: false hasAuth: true tenantId: null clientId: null oauthTokenUrl: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_index_connector_response: summary: A new index connector. value: id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad connector_type_id: .index name: my-connector config: index: test-index refresh: false executionTimeField: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_webhook_connector_response: summary: A new webhook connector. value: id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd name: my-webhook-connector config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key verificationMode: full headers: null hasAuth: true connector_type_id: .webhook is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false run_index_connector_request: summary: Run an index connector. value: params: documents: - id: my_doc_id name: my_doc_name message: hello, world run_jira_connector_request: summary: Run a Jira connector to retrieve the list of issue types. value: params: subAction: issueTypes run_servicenow_itom_connector_request: summary: Run a ServiceNow ITOM connector to retrieve the list of choices. value: params: subAction: getChoices subActionParams: fields: - severity - urgency run_slack_api_connector_request: summary: Run a Slack connector that uses the web API method to post a message on a channel. value: params: subAction: postMessage subActionParams: channelIds: - C123ABC456 text: A test message. run_swimlane_connector_request: summary: Run a Swimlane connector to create an incident. value: params: subAction: pushToService subActionParams: comments: - commentId: 1 comment: A comment about the incident. incident: caseId: '1000' caseName: Case name description: Description of the incident. run_index_connector_response: summary: Response from running an index connector. value: connector_id: fd38c600-96a5-11ed-bb79-353b74189cba data: errors: false items: - create: _id: 4JtvwYUBrcyxt2NnfW3y _index: my-index _primary_term: 1 _seq_no: 0 _shards: failed: 0 successful: 1 total: 2 _version: 1 result: created status: 201 took: 135 status: ok run_jira_connector_response: summary: Response from retrieving the list of issue types for a Jira connector. value: connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 data: - id: 10024 name: Improvement - id: 10006 name: Task - id: 10007 name: Sub-task - id: 10025 name: New Feature - id: 10023 name: Bug - id: 10000 name: Epic status: ok run_server_log_connector_response: summary: Response from running a server log connector. value: connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 status: ok run_servicenow_itom_connector_response: summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. value: connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 data: - dependent_value: '' element: severity label: Critical value: 1 - dependent_value: '' element: severity label: Major value: 2 - dependent_value: '' element: severity label: Minor value: 3 - dependent_value: '' element: severity label: Warning value: 4 - dependent_value: '' element: severity label: OK value: 5 - dependent_value: '' element: severity label: Clear value: 0 - dependent_value: '' element: urgency label: 1 - High value: 1 - dependent_value: '' element: urgency label: 2 - Medium value: 2 - dependent_value: '' element: urgency label: 3 - Low value: 3 status: ok run_slack_api_connector_response: summary: Response from posting a message with a Slack connector. value: status: ok data: ok: true channel: C123ABC456 ts: '1234567890.123456' message: bot_id: B12BCDEFGHI type: message text: A test message user: U12A345BC6D ts: '1234567890.123456' app_id: A01BC2D34EF blocks: - type: rich_text block_id: /NXe elements: - type: rich_text_section elements: - type: text text: A test message. team: T01ABCDE2F bot_profile: id: B12BCDEFGHI app_id: A01BC2D34EF name: test icons: image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png deleted: false updated: 1672169705 team_id: T01ABCDE2F connector_id: .slack_api run_swimlane_connector_response: summary: Response from creating a Swimlane incident. value: connector_id: a4746470-2f94-11ed-b0e0-87533c532698 data: id: aKPmBHWzmdRQtx6Mx title: TEST-457 url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx pushedDate: '2022-09-08T16:52:27.866Z' comments: - commentId: 1 pushedDate: '2022-09-08T16:52:27.865Z' status: ok get_connectors_response: summary: A list of connectors value: - id: preconfigured-email-connector name: my-preconfigured-email-notification connector_type_id: .email is_preconfigured: true is_deprecated: false referenced_by_count: 0 is_system_action: false - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 name: my-index-connector config: index: test-index refresh: false executionTimeField: null connector_type_id: .index is_preconfigured: false is_deprecated: false referenced_by_count: 2 is_missing_secrets: false is_system_action: false get_spaces_response1: summary: Get all spaces description: Get all spaces without specifying any options. value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - id: sales name: Sales initials: MK disabledFeatures: - discover imageUr": '' solution: oblt get_spaces_response2: summary: Get all spaces with custom options description: | The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: sales name: Sales initials: MK disabledFeatures: - discover imageUrl: '' authorizedPurposes: any: true copySavedObjectsIntoSpace: false findSavedObjects: true shareSavedObjectsIntoSpace: false create_space_request: summary: Create a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== get_space_response: summary: Get details about a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' solution: es update_space_request: summary: Update a marketing space description: Update the marketing space to remove the imageUrl. value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' parameters: APM_UI_elastic_api_version: description: The version of the API to use in: header name: elastic-api-version required: true schema: default: '2023-10-31' enum: - '2023-10-31' type: string APM_UI_kbn_xsrf: description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string Data_views_field_name: description: The name of the runtime field. in: path name: fieldName required: true schema: example: hour_of_day type: string Data_views_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Data_views_view_id: description: An identifier for the data view. in: path name: viewId required: true schema: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string Machine_learning_APIs_simulateParam: description: When true, simulates the synchronization by returning only the list of actions that would be performed. example: 'true' in: query name: simulate required: false schema: type: boolean SLOs_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string SLOs_slo_id: description: An identifier for the slo. in: path name: sloId required: true schema: example: 9c235211-6834-11ea-a78c-6feb38a34414 type: string SLOs_space_id: description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. in: path name: spaceId required: true schema: example: default type: string schemas: APM_UI_400_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 400 type: number APM_UI_401_response: type: object properties: error: description: Error type example: Unauthorized type: string message: description: Error message type: string statusCode: description: Error status code example: 401 type: number APM_UI_403_response: type: object properties: error: description: Error type example: Forbidden type: string message: description: Error message type: string statusCode: description: Error status code example: 403 type: number APM_UI_404_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 404 type: number APM_UI_500_response: type: object properties: error: description: Error type example: Internal Server Error type: string message: description: Error message type: string statusCode: description: Error status code example: 500 type: number APM_UI_501_response: type: object properties: error: description: Error type example: Not Implemented type: string message: description: Error message example: Not Implemented type: string statusCode: description: Error status code example: 501 type: number APM_UI_agent_configuration_intake_object: type: object properties: agent_name: description: The agent name is used by the UI to determine which settings to display. type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings APM_UI_agent_configuration_object: description: Agent configuration type: object properties: '@timestamp': description: Timestamp example: 1730194190636 type: number agent_name: description: Agent name type: string applied_by_agent: description: Applied by agent example: true type: boolean etag: description: | `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings - '@timestamp' - etag APM_UI_agent_configurations_response: type: object properties: configurations: description: Agent configuration items: $ref: '#/components/schemas/APM_UI_agent_configuration_object' type: array APM_UI_agent_keys_object: type: object properties: name: description: The name of the APM agent key. type: string privileges: description: | The APM agent key privileges. It can take one or more of the following values: * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. items: enum: - event:write - config_agent:read type: string type: array required: - name - privileges APM_UI_agent_keys_response: type: object properties: agentKey: description: Agent key type: object properties: api_key: type: string encoded: type: string expiration: format: int64 type: integer id: type: string name: type: string required: - id - name - api_key - encoded APM_UI_annotation_search_response: type: object properties: annotations: description: Annotations items: type: object properties: '@timestamp': type: number id: type: string text: type: string type: enum: - version type: string type: array APM_UI_base_source_map_object: type: object properties: compressionAlgorithm: description: Compression Algorithm type: string created: description: Created date type: string decodedSha256: description: Decoded SHA-256 type: string decodedSize: description: Decoded size type: number encodedSha256: description: Encoded SHA-256 type: string encodedSize: description: Encoded size type: number encryptionAlgorithm: description: Encryption Algorithm type: string id: description: Identifier type: string identifier: description: Identifier type: string packageName: description: Package name type: string relative_url: description: Relative URL type: string type: description: Type type: string APM_UI_create_annotation_object: type: object properties: '@timestamp': description: The date and time of the annotation. It must be in ISO 8601 format. type: string message: description: The message displayed in the annotation. It defaults to `service.version`. type: string service: description: The service that identifies the configuration to create or update. type: object properties: environment: description: The environment of the service. type: string version: description: The version of the service. type: string required: - version tags: description: | Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. items: type: string type: array required: - '@timestamp' - service APM_UI_create_annotation_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _source: description: Response type: object properties: '@timestamp': type: string annotation: type: object properties: title: type: string type: type: string event: type: object properties: created: type: string message: type: string service: type: object properties: environment: type: string name: type: string version: type: string tags: items: type: string type: array APM_UI_delete_agent_configurations_response: type: object properties: result: description: Result type: string APM_UI_delete_service_object: description: Service type: object properties: service: $ref: '#/components/schemas/APM_UI_service_object' required: - service APM_UI_search_agent_configuration_object: type: object properties: error: description: | If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. This is useful for cases where the agent configuration was not applied successfully. type: string etag: description: If etags match then `applied_by_agent` field will be set to `true` example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string mark_as_applied_by_agent: description: | `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags type: boolean service: $ref: '#/components/schemas/APM_UI_service_object' required: - service APM_UI_search_agent_configuration_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _score: description: Score type: number _source: $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_service_agent_name_response: type: object properties: agentName: description: Agent name example: nodejs type: string APM_UI_service_environment_object: type: object properties: alreadyConfigured: description: Already configured type: boolean name: description: Service environment name example: ALL_OPTION_VALUE type: string APM_UI_service_environments_response: type: object properties: environments: description: Service environment list items: $ref: '#/components/schemas/APM_UI_service_environment_object' type: array APM_UI_service_object: description: Service type: object properties: environment: description: The environment of the service. example: prod type: string name: description: The name of the service. example: node type: string APM_UI_settings_object: additionalProperties: type: string description: Agent configuration settings type: object APM_UI_single_agent_configuration_response: allOf: - type: object properties: id: type: string required: - id - $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_source_maps_response: type: object properties: artifacts: description: Artifacts items: allOf: - type: object properties: body: type: object properties: bundleFilepath: type: string serviceName: type: string serviceVersion: type: string sourceMap: type: object properties: file: type: string mappings: type: string sourceRoot: type: string sources: items: type: string type: array sourcesContent: items: type: string type: array version: type: number - $ref: '#/components/schemas/APM_UI_base_source_map_object' type: array APM_UI_upload_source_map_object: type: object properties: bundle_filepath: description: The absolute path of the final bundle as used in the web application. type: string service_name: description: The name of the service that the service map should apply to. type: string service_version: description: The version of the service that the service map should apply to. type: string sourcemap: description: | The source map. It can be a string or file upload. It must follow the [source map format specification](https://tc39.es/ecma426/). format: binary type: string required: - service_name - service_version - bundle_filepath - sourcemap APM_UI_upload_source_maps_response: allOf: - type: object properties: body: type: string - $ref: '#/components/schemas/APM_UI_base_source_map_object' Data_views_400_response: title: Bad request type: object properties: error: example: Bad Request type: string message: type: string statusCode: example: 400 type: number required: - statusCode - error - message Data_views_404_response: type: object properties: error: enum: - Not Found example: Not Found type: string message: example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found type: string statusCode: enum: - 404 example: 404 type: integer Data_views_allownoindex: description: Allows the data view saved object to exist before the data is available. Defaults to `false`. type: boolean Data_views_create_data_view_request_object: title: Create data view request type: object properties: data_view: description: The data view object. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' version: type: string required: - title override: default: false description: Override an existing data view if a data view with the provided title already exists. type: boolean required: - data_view Data_views_data_view_response_object: title: Data view response properties type: object properties: data_view: type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' typeMeta: $ref: '#/components/schemas/Data_views_typemeta_response' version: example: WzQ2LDJd type: string Data_views_fieldattrs: description: A map of field attributes by field name. type: object properties: count: description: Popularity count for the field. type: integer customDescription: description: Custom description for the field. maxLength: 300 type: string customLabel: description: Custom label for the field. type: string Data_views_fieldformats: description: A map of field formats by field name. type: object Data_views_namespaces: description: An array of space identifiers for sharing the data view between multiple spaces. items: default: default type: string type: array Data_views_runtimefieldmap: description: A map of runtime field definitions by field name. type: object properties: script: type: object properties: source: description: Script for the runtime field. type: string type: description: Mapping type of the runtime field. type: string required: - script - type Data_views_sourcefilters: description: The array of field names you want to filter out in Discover. items: type: object properties: value: type: string required: - value type: array Data_views_swap_data_view_request_object: title: Data view reference swap request type: object properties: delete: description: Deletes referenced saved object if all references are removed. type: boolean forId: description: Limit the affected saved objects to one or more by identifier. oneOf: - type: string - items: type: string type: array forType: description: Limit the affected saved objects by type. type: string fromId: description: The saved object reference to change. type: string fromType: description: | Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. type: string toId: description: New saved object reference value to replace the old value. type: string required: - fromId - toId Data_views_timefieldname: description: The timestamp field name, which you use for time-based data views. type: string Data_views_title: description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). type: string Data_views_type: description: When set to `rollup`, identifies the rollup data views. type: string Data_views_typemeta: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object required: - aggs - params Data_views_typemeta_response: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. nullable: true type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object Data_views_update_data_view_request_object: title: Update data view request type: object properties: data_view: description: | The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object name: type: string runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' refresh_fields: default: false description: Reloads the data view fields after the data view is updated. type: boolean required: - data_view Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. properties: anomalyDetectorTypes: description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. items: enum: - txLatency - txThroughput - txFailureRate type: string minItems: 1 type: array anomalySeverityType: description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' enum: - critical - major - minor - warning type: string environment: description: The environment from APM. type: string serviceName: description: The service name from APM. type: string transactionType: description: The transaction type from APM. type: string windowSize: description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number windowUnit: description: 'The type of units for the time window: minutes, hours, or days.' type: string required: - windowSize - windowUnit - environment - anomalySeverityType title: APM Anomaly Rule Params type: object rule_type_id: enum: - apm.anomaly type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: APM anomaly type: object Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. properties: environment: description: Filter the errors coming from your application to apply the rule to a specific environment. type: string errorGroupingKey: description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. type: string groupBy: items: description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. type: string type: array searchConfiguration: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: language: type: string query: anyOf: - type: string - additionalProperties: nullable: true type: object required: - query - language required: - query serviceName: description: Filter the errors coming from your application to apply the rule to a specific service. type: string threshold: description: The number of errors, which is the threshold for alerts. type: number useKqlFilter: description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. type: boolean windowSize: description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number windowUnit: description: 'The type of units for the time window: minutes, hours, or days.' type: string required: - windowSize - windowUnit - threshold - environment title: Error Count Rule Params type: object rule_type_id: enum: - apm.error_rate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Error rate type: object Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. properties: aggregationType: description: The type of aggregation to perform. enum: - avg - 95th - 99th type: string environment: description: Filter the rule to apply to a specific environment. type: string groupBy: items: description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. type: string type: array searchConfiguration: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: language: type: string query: anyOf: - type: string - additionalProperties: nullable: true type: object required: - query - language required: - query serviceName: description: Filter the rule to apply to a specific service. type: string threshold: description: The latency threshold value. type: number transactionName: description: Filter the rule to apply to a specific transaction name. type: string transactionType: description: Filter the rule to apply to a specific transaction type. type: string useKqlFilter: description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. type: boolean windowSize: description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number windowUnit: description: 'The type of units for the time window. For example: minutes, hours, or days.' type: string required: - windowSize - windowUnit - threshold - aggregationType - environment title: Transaction Duration Rule Params type: object rule_type_id: enum: - apm.transaction_duration type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Transaction duration type: object Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. properties: environment: type: string groupBy: items: type: string type: array searchConfiguration: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: language: type: string query: anyOf: - type: string - additionalProperties: nullable: true type: object required: - query - language required: - query serviceName: type: string threshold: type: number transactionName: type: string transactionType: type: string useKqlFilter: type: boolean windowSize: type: number windowUnit: type: string required: - windowSize - windowUnit - threshold - environment title: Transaction Error Rate Rule Params type: object rule_type_id: enum: - apm.transaction_error_rate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Transaction error rate type: object Kibana_HTTP_APIs_ClassicFieldDefinition: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' type: object Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - anyOf: - additionalProperties: false type: object properties: description: type: string format: description: A non-empty string. minLength: 1 type: string type: enum: - keyword - match_only_text - long - double - date - boolean - ip - geo_point - integer - short - byte - float - half_float - text - wildcard - version - unsigned_long - date_nanos type: string required: - type - additionalProperties: false type: object properties: description: type: string type: enum: - system type: string required: - type Kibana_HTTP_APIs_ClassicStreamUpsertRequest: additionalProperties: false type: object properties: dashboards: items: type: string type: array queries: items: type: object properties: description: type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string type: default: match enum: - match - stats type: string required: - id - title - description - esql type: array rules: items: type: string type: array stream: additionalProperties: false type: object properties: description: type: string ingest: additionalProperties: false type: object properties: classic: additionalProperties: false type: object properties: field_overrides: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value required: - lifecycle - processing - settings - failure_store - classic query_streams: items: type: object properties: name: type: string required: - name type: array type: enum: - classic type: string required: - description - ingest - type required: - dashboards - rules - queries - stream Kibana_HTTP_APIs_Condition: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' - additionalProperties: false description: A logical AND that groups multiple conditions. type: object properties: and: description: An array of conditions. All sub-conditions must be true for this condition to be true. items: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' type: array required: - and - additionalProperties: false description: A logical OR that groups multiple conditions. type: object properties: or: description: An array of conditions. At least one sub-condition must be true for this condition to be true. items: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' type: array required: - or - additionalProperties: false description: A logical NOT that negates a condition. type: object properties: not: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: A condition that negates another condition. required: - not - additionalProperties: false description: A condition that always evaluates to false. type: object properties: never: additionalProperties: false description: An empty object. This condition never matches. type: object properties: {} required: - never - additionalProperties: false description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. type: object properties: always: additionalProperties: false description: An empty object. This condition always matches. type: object properties: {} required: - always description: The root condition object. It can be a simple filter or a combination of other conditions. Kibana_HTTP_APIs_ConditionWithSteps: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' - additionalProperties: false type: object properties: else: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array required: - steps Kibana_HTTP_APIs_ContentPackIncludedObjects: anyOf: - additionalProperties: false type: object properties: objects: additionalProperties: false type: object properties: all: additionalProperties: false type: object properties: {} required: - all required: - objects - additionalProperties: false type: object properties: objects: additionalProperties: false type: object properties: mappings: type: boolean queries: items: type: object properties: id: type: string required: - id type: array routing: items: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' - type: object properties: destination: type: string required: - destination type: array required: - mappings - queries - routing required: - objects Kibana_HTTP_APIs_core_status_redactedResponse: additionalProperties: false description: A minimal representation of Kibana's operational status. properties: status: additionalProperties: false type: object properties: overall: additionalProperties: false type: object properties: level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string required: - level required: - overall required: - status title: core_status_redactedResponse type: object Kibana_HTTP_APIs_core_status_response: additionalProperties: false description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. properties: metrics: additionalProperties: false description: Metric groups collected by Kibana. type: object properties: collection_interval_in_millis: description: The interval at which metrics should be collected. type: number elasticsearch_client: additionalProperties: false description: Current network metrics of Kibana's Elasticsearch client. type: object properties: totalActiveSockets: description: Count of network sockets currently in use. type: number totalIdleSockets: description: Count of network sockets currently idle. type: number totalQueuedRequests: description: Count of requests not yet assigned to sockets. type: number required: - totalActiveSockets - totalIdleSockets - totalQueuedRequests last_updated: description: The time metrics were collected. type: string required: - elasticsearch_client - last_updated - collection_interval_in_millis name: description: Kibana instance name. type: string status: additionalProperties: false type: object properties: core: additionalProperties: false description: Statuses of core Kibana services. type: object properties: elasticsearch: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: nullable: true description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta http: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: nullable: true description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta savedObjects: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: nullable: true description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta required: - elasticsearch - savedObjects overall: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: nullable: true description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta plugins: additionalProperties: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: nullable: true description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta description: A dynamic mapping of plugin ID to plugin status. type: object required: - overall - core - plugins uuid: description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. type: string version: additionalProperties: false type: object properties: build_date: description: The date and time of this build. type: string build_flavor: description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. enum: - serverless - traditional type: string build_hash: description: A unique hash value representing the git commit of this Kibana build. type: string build_number: description: A monotonically increasing number, each subsequent build will have a higher number. type: number build_snapshot: description: Whether this build is a snapshot build. type: boolean number: description: A semantic version number. type: string required: - number - build_hash - build_number - build_snapshot - build_flavor - build_date required: - name - uuid - version - status - metrics title: core_status_response type: object Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. properties: comparator: type: string groupBy: items: type: string type: array searchConfiguration: additionalProperties: false type: object properties: index: type: string required: - index threshold: items: type: number type: array timeSize: type: number timeUnit: type: string required: - timeUnit - timeSize - threshold - comparator - searchConfiguration title: Degraded Docs Rule Params type: object rule_type_id: enum: - datasetQuality.degradedDocs type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Degraded docs type: object Kibana_HTTP_APIs_es-query-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. properties: aggField: description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. minLength: 1 type: string aggType: default: count description: The type of aggregation to perform. type: string esqlQuery: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The query definition in Elasticsearch Query Language. nullable: true oneOf: - additionalProperties: false type: object properties: esql: minLength: 1 type: string required: - esql - not: {} esQuery: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - minLength: 1 type: string - not: {} excludeHitsFromPreviousRun: default: true description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. type: boolean groupBy: default: all description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. type: string index: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The indices to query. nullable: true oneOf: - items: minLength: 1 type: string minItems: 1 type: array - not: {} searchConfiguration: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. nullable: true oneOf: - additionalProperties: true type: object properties: {} - not: {} searchType: default: esQuery description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' enum: - searchSource - esQuery - esqlQuery type: string size: description: The number of documents to pass to the configured actions when the threshold condition is met. maximum: 10000 minimum: 0 type: number sourceFields: description: The sourceFields param is ignored. items: additionalProperties: false type: object properties: label: type: string searchPath: type: string required: - label - searchPath maxItems: 5 type: array termField: anyOf: - minLength: 1 type: string - items: type: string maxItems: 4 minItems: 2 type: array description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. termSize: description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. minimum: 1 type: number threshold: items: description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. type: number maxItems: 2 minItems: 1 type: array thresholdComparator: description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' enum: - '>' - < - '>=' - <= - between - notBetween type: string timeField: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string description: The field that is used to calculate the time window. nullable: true oneOf: - minLength: 1 type: string - minLength: 1 type: string x-oas-optional: true timeWindowSize: description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. minimum: 1 type: number timeWindowUnit: description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' type: string required: - size - timeWindowSize - timeWindowUnit - threshold - thresholdComparator - timeField - searchConfiguration - esQuery - index - esqlQuery title: ES Query Rule Params type: object rule_type_id: enum: - .es-query type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: ES query type: object Kibana_HTTP_APIs_FailureStore: anyOf: - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit - additionalProperties: false type: object properties: disabled: additionalProperties: false type: object properties: {} required: - disabled - additionalProperties: false type: object properties: lifecycle: additionalProperties: false type: object properties: enabled: additionalProperties: false type: object properties: data_retention: description: A non-empty string. minLength: 1 type: string required: - enabled required: - lifecycle - additionalProperties: false type: object properties: lifecycle: additionalProperties: false type: object properties: disabled: additionalProperties: false type: object properties: {} required: - disabled required: - lifecycle Kibana_HTTP_APIs_FieldDefinition: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' type: object Kibana_HTTP_APIs_FieldDefinitionConfig: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' - anyOf: - additionalProperties: false type: object properties: description: type: string format: description: A non-empty string. minLength: 1 type: string type: enum: - keyword - match_only_text - long - double - date - boolean - ip - geo_point - integer - short - byte - float - half_float - text - wildcard - version - unsigned_long - date_nanos type: string required: - type - additionalProperties: false type: object properties: description: type: string format: not: {} type: not: {} required: - description - additionalProperties: false type: object properties: description: type: string type: enum: - system type: string required: - type Kibana_HTTP_APIs_FilterCondition: anyOf: - additionalProperties: false description: A condition that compares a field to a value or range using an operator as the key. type: object properties: contains: anyOf: - type: string - type: number - type: boolean description: Contains comparison value. endsWith: anyOf: - type: string - type: number - type: boolean description: Ends-with comparison value. eq: anyOf: - type: string - type: number - type: boolean description: Equality comparison value. field: description: The document field to filter on. minLength: 1 type: string gt: anyOf: - type: string - type: number - type: boolean description: Greater-than comparison value. gte: anyOf: - type: string - type: number - type: boolean description: Greater-than-or-equal comparison value. includes: anyOf: - type: string - type: number - type: boolean description: Checks if multivalue field includes the value. lt: anyOf: - type: string - type: number - type: boolean description: Less-than comparison value. lte: anyOf: - type: string - type: number - type: boolean description: Less-than-or-equal comparison value. neq: anyOf: - type: string - type: number - type: boolean description: Inequality comparison value. range: additionalProperties: false description: Range comparison values. type: object properties: gt: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. gte: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. lt: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. lte: anyOf: - type: string - type: number - type: boolean description: A value that can be a string, number, or boolean. startsWith: anyOf: - type: string - type: number - type: boolean description: Starts-with comparison value. required: - field - additionalProperties: false description: A condition that checks for the existence or non-existence of a field. type: object properties: exists: description: Indicates whether the field exists or not. type: boolean field: description: The document field to check. minLength: 1 type: string required: - field description: A basic filter condition, either unary or binary. Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. properties: boundaryGeoField: minLength: 1 type: string boundaryIndexId: minLength: 1 type: string boundaryIndexQuery: nullable: true boundaryIndexTitle: minLength: 1 type: string boundaryNameField: minLength: 1 type: string boundaryType: minLength: 1 type: string dateField: minLength: 1 type: string entity: minLength: 1 type: string geoField: minLength: 1 type: string index: minLength: 1 type: string indexId: minLength: 1 type: string indexQuery: nullable: true required: - index - indexId - geoField - entity - dateField - boundaryType - boundaryIndexTitle - boundaryIndexId - boundaryGeoField - indexQuery - boundaryIndexQuery title: Geo Containment Rule Params type: object rule_type_id: enum: - .geo-containment type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Geo containment type: object Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. properties: aggField: description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. minLength: 1 type: string aggType: default: count description: The type of aggregation to perform. type: string filterKuery: description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. type: string groupBy: default: all description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. type: string index: anyOf: - minLength: 1 type: string - items: minLength: 1 type: string minItems: 1 type: array description: The indices to query. termField: description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. minLength: 1 type: string termSize: description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. minimum: 1 type: number threshold: items: type: number maxItems: 2 minItems: 1 type: array thresholdComparator: description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' enum: - '>' - < - '>=' - <= - between - notBetween type: string timeField: description: The field that is used to calculate the time window. minLength: 1 type: string timeWindowSize: description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. minimum: 1 type: number timeWindowUnit: description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' type: string required: - index - timeField - timeWindowSize - timeWindowUnit - thresholdComparator - threshold title: Index Threshold Rule Params type: object rule_type_id: enum: - .index-threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Index threshold type: object Kibana_HTTP_APIs_IngestStreamLifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: description: A non-empty string. minLength: 1 type: string downsample: items: type: object properties: after: description: A non-empty string. minLength: 1 type: string fixed_interval: description: A non-empty string. minLength: 1 type: string required: - after - fixed_interval type: array required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: description: A non-empty string. minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: anyOf: - additionalProperties: false type: object properties: count: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string value: type: number required: - comparator - value criteria: items: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string field: type: string value: anyOf: - type: string - type: number required: - field - comparator - value type: array groupBy: items: type: string type: array logView: additionalProperties: false type: object properties: logViewId: type: string type: enum: - log-view-reference type: string required: - logViewId - type timeSize: type: number timeUnit: enum: - s - m - h - d type: string required: - criteria - count - timeUnit - timeSize - logView - additionalProperties: false type: object properties: count: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string value: type: number required: - comparator - value criteria: items: items: additionalProperties: false type: object properties: comparator: enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase type: string field: type: string value: anyOf: - type: string - type: number required: - field - comparator - value type: array type: array groupBy: items: type: string type: array logView: additionalProperties: false type: object properties: logViewId: type: string type: enum: - log-view-reference type: string required: - logViewId - type timeSize: type: number timeUnit: enum: - s - m - h - d type: string required: - criteria - count - timeUnit - timeSize - logView description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. title: Log Threshold Rule Params rule_type_id: enum: - logs.alert.document.count type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Log threshold type: object Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. properties: alertOnNoData: type: boolean criteria: items: additionalProperties: false type: object properties: comparator: type: string customMetric: additionalProperties: false type: object properties: aggregation: type: string field: type: string id: type: string label: type: string type: enum: - custom type: string required: - type - id - field - aggregation metric: type: string threshold: items: type: number type: array timeSize: type: number timeUnit: type: string warningComparator: type: string warningThreshold: items: type: number type: array required: - threshold - comparator - timeUnit - timeSize - metric type: array filterQuery: type: string nodeType: type: string schema: type: string sourceId: type: string required: - criteria - nodeType - sourceId title: Metric Inventory Threshold Rule Params type: object rule_type_id: enum: - metrics.alert.inventory.threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Metric inventory threshold type: object Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. properties: alertOnGroupDisappear: description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. type: boolean alertOnNoData: description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. type: boolean criteria: items: anyOf: - additionalProperties: false type: object properties: aggType: enum: - count type: string comparator: type: string threshold: description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. items: type: number type: array timeSize: description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number timeUnit: description: 'The type of units for the time window: seconds, minutes, hours, or days.' type: string warningComparator: type: string warningThreshold: items: description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. type: number type: array required: - threshold - comparator - timeUnit - timeSize - aggType - additionalProperties: false type: object properties: aggType: type: string comparator: type: string metric: type: string threshold: description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. items: type: number type: array timeSize: description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number timeUnit: description: 'The type of units for the time window: seconds, minutes, hours, or days.' type: string warningComparator: type: string warningThreshold: items: description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. type: number type: array required: - threshold - comparator - timeUnit - timeSize - metric - aggType - additionalProperties: false type: object properties: aggType: enum: - custom type: string comparator: type: string customMetrics: items: anyOf: - additionalProperties: false type: object properties: aggType: type: string field: type: string name: type: string required: - name - aggType - field - additionalProperties: false type: object properties: aggType: enum: - count type: string filter: type: string name: type: string required: - name - aggType type: array equation: type: string label: type: string threshold: description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. items: type: number type: array timeSize: description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: number timeUnit: description: 'The type of units for the time window: seconds, minutes, hours, or days.' type: string warningComparator: type: string warningThreshold: items: description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. type: number type: array required: - threshold - comparator - timeUnit - timeSize - aggType - customMetrics type: array filterQuery: description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. type: string groupBy: anyOf: - type: string - items: type: string type: array description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' sourceId: type: string required: - criteria - sourceId title: Metric Threshold Rule Params type: object rule_type_id: enum: - metrics.alert.threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Metric threshold type: object Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Cluster Health Rule Params type: object rule_type_id: enum: - monitoring_alert_cluster_health type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Cluster health type: object Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: CPU Usage Rule Params type: object rule_type_id: enum: - monitoring_alert_cpu_usage type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: CPU usage type: object Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Disk Usage Rule Params type: object rule_type_id: enum: - monitoring_alert_disk_usage type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Disk usage type: object Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: ES Version Mismatch Rule Params type: object rule_type_id: enum: - monitoring_alert_elasticsearch_version_mismatch type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Elasticsearch version mismatch type: object Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Memory Usage Rule Params type: object rule_type_id: enum: - monitoring_alert_jvm_memory_usage type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: JVM memory usage type: object Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Kibana Version Mismatch Rule Params type: object rule_type_id: enum: - monitoring_alert_kibana_version_mismatch type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Kibana version mismatch type: object Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: License Expiration Rule Params type: object rule_type_id: enum: - monitoring_alert_license_expiration type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: License expiration type: object Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Logstash Version Mismatch Rule Params type: object rule_type_id: enum: - monitoring_alert_logstash_version_mismatch type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Logstash version mismatch type: object Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Missing Monitoring Data Rule Params type: object rule_type_id: enum: - monitoring_alert_missing_monitoring_data type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Missing monitoring data type: object Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: Nodes Changed Rule Params type: object rule_type_id: enum: - monitoring_alert_nodes_changed type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Nodes changed type: object Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string threshold: type: number required: - duration title: Thread Pool Search Rejections Rule Params type: object rule_type_id: enum: - monitoring_alert_thread_pool_search_rejections type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Thread pool search rejections type: object Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string threshold: type: number required: - duration title: Thread Pool Write Rejections Rule Params type: object rule_type_id: enum: - monitoring_alert_thread_pool_write_rejections type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Thread pool write rejections type: object Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string limit: type: string threshold: type: number required: - duration title: CCR Read Exceptions Rule Params type: object rule_type_id: enum: - monitoring_ccr_read_exceptions type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: CCR read exceptions type: object Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. properties: duration: type: string filterQuery: type: string filterQueryText: type: string indexPattern: type: string limit: type: string threshold: type: number required: - duration - indexPattern title: Large Shard Size Rule Params type: object rule_type_id: enum: - monitoring_shard_size type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Large shard size type: object Kibana_HTTP_APIs_new_output_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true type: enum: - elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: new_output_elasticsearch type: object Kibana_HTTP_APIs_new_output_kafka: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: nullable: true type: number config_yaml: nullable: true type: string connection_type: enum: - plaintext - encryption type: string hash: additionalProperties: false type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string partition: enum: - random - round_robin - hash type: string password: nullable: true type: string proxy_id: nullable: true type: string random: additionalProperties: false type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: false type: object properties: group_events: type: number sasl: additionalProperties: false nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: false type: object properties: password: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string required: - key shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true timeout: type: number topic: type: string type: enum: - kafka type: string username: nullable: true type: string version: type: string required: - name - type - hosts - auth_type title: new_output_kafka type: object Kibana_HTTP_APIs_new_output_logstash: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true type: enum: - logstash type: string required: - name - type - hosts title: new_output_logstash type: object Kibana_HTTP_APIs_new_output_remote_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: service_token: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string service_token: nullable: true type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: new_output_remote_elasticsearch type: object Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: true description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. properties: alertOnGroupDisappear: type: boolean alertOnNoData: type: boolean criteria: items: additionalProperties: false type: object properties: aggType: enum: - custom type: string comparator: type: string equation: type: string label: type: string metrics: items: anyOf: - additionalProperties: false type: object properties: aggType: type: string field: type: string filter: type: string name: type: string required: - name - aggType - field - additionalProperties: false type: object properties: aggType: enum: - count type: string filter: type: string name: type: string required: - name - aggType type: array threshold: items: type: number type: array timeSize: type: number timeUnit: type: string required: - threshold - comparator - timeUnit - timeSize - metrics type: array groupBy: anyOf: - type: string - items: type: string type: array noDataBehavior: enum: - recover - remainActive - alertOnNoData type: string searchConfiguration: additionalProperties: false type: object properties: filter: items: additionalProperties: false type: object properties: meta: additionalProperties: nullable: true type: object query: additionalProperties: nullable: true type: object required: - meta type: array index: anyOf: - type: string - additionalProperties: false type: object properties: allowHidden: type: boolean allowNoIndex: type: boolean fieldAttrs: additionalProperties: additionalProperties: false type: object properties: count: type: number customDescription: maxLength: 300 type: string customLabel: type: string type: object fieldFormats: additionalProperties: additionalProperties: false type: object properties: id: type: string params: nullable: true required: - params type: object fields: additionalProperties: additionalProperties: false type: object properties: aggregatable: type: boolean count: minimum: 0 type: number customDescription: maxLength: 300 type: string customLabel: type: string esTypes: items: type: string type: array format: additionalProperties: false type: object properties: id: type: string params: nullable: true required: - params name: maxLength: 1000 type: string readFromDocValues: type: boolean runtimeField: anyOf: - additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: nullable: true required: - params popularity: minimum: 0 type: number script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type - additionalProperties: false type: object properties: fields: additionalProperties: additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: nullable: true required: - params popularity: minimum: 0 type: number type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type type: object script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - composite type: string required: - type script: maxLength: 1000000 type: string scripted: type: boolean searchable: type: boolean shortDotsEnable: type: boolean subType: additionalProperties: false type: object properties: multi: additionalProperties: false type: object properties: parent: type: string required: - parent nested: additionalProperties: false type: object properties: path: type: string required: - path type: default: string maxLength: 1000 type: string required: - name type: object id: type: string managed: type: boolean name: type: string namespaces: items: type: string type: array runtimeFieldMap: additionalProperties: anyOf: - additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: nullable: true required: - params popularity: minimum: 0 type: number script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type - additionalProperties: false type: object properties: fields: additionalProperties: additionalProperties: false type: object properties: customDescription: maxLength: 300 type: string customLabel: type: string format: additionalProperties: false type: object properties: id: type: string params: nullable: true required: - params popularity: minimum: 0 type: number type: enum: - keyword - long - double - date - ip - boolean - geo_point type: string required: - type type: object script: additionalProperties: false type: object properties: source: type: string required: - source type: enum: - composite type: string required: - type type: object sourceFilters: items: additionalProperties: false type: object properties: clientId: anyOf: - type: string - type: number value: type: string required: - value type: array timeFieldName: type: string title: type: string type: type: string typeMeta: additionalProperties: true type: object properties: {} version: type: string required: - title query: additionalProperties: false type: object properties: language: type: string query: type: string required: - language - query required: - index - query required: - criteria - searchConfiguration title: Custom Threshold Rule Params type: object rule_type_id: enum: - observability.rules.custom_threshold type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Custom threshold type: object Kibana_HTTP_APIs_output_elasticsearch: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true type: enum: - elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: output_elasticsearch type: object Kibana_HTTP_APIs_output_kafka: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: nullable: true type: number config_yaml: nullable: true type: string connection_type: enum: - plaintext - encryption type: string hash: additionalProperties: true type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: true type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string partition: enum: - random - round_robin - hash type: string password: nullable: true type: string proxy_id: nullable: true type: string random: additionalProperties: true type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: true type: object properties: group_events: type: number sasl: additionalProperties: true nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: true type: object properties: password: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string required: - key shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true timeout: type: number topic: type: string type: enum: - kafka type: string username: nullable: true type: string version: type: string required: - name - type - hosts - auth_type title: output_kafka type: object Kibana_HTTP_APIs_output_logstash: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true type: enum: - logstash type: string required: - name - type - hosts title: output_logstash type: object Kibana_HTTP_APIs_output_remote_elasticsearch: additionalProperties: true properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: service_token: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: hash: type: string id: type: string required: - id - type: string service_token: nullable: true type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string write_to_logs_streams: nullable: true type: boolean required: - name - type - hosts title: output_remote_elasticsearch type: object Kibana_HTTP_APIs_output_shipper: additionalProperties: true properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes title: output_shipper type: object Kibana_HTTP_APIs_output_ssl: additionalProperties: true properties: certificate: type: string certificate_authorities: items: type: string maxItems: 10 type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string title: output_ssl type: object Kibana_HTTP_APIs_QueryStreamUpsertRequest: additionalProperties: false type: object properties: dashboards: items: type: string type: array queries: items: type: object properties: description: type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string type: default: match enum: - match - stats type: string required: - id - title - description - esql type: array rules: items: type: string type: array stream: additionalProperties: false type: object properties: description: type: string field_descriptions: additionalProperties: type: string type: object query: additionalProperties: false type: object properties: esql: type: string view: type: string required: - view - esql query_streams: items: type: object properties: name: type: string required: - name type: array type: enum: - query type: string required: - description - type - query required: - dashboards - rules - queries - stream Kibana_HTTP_APIs_RecursiveRecord: additionalProperties: anyOf: - anyOf: - type: string - type: number - type: boolean - nullable: true - {} - items: anyOf: - type: string - type: number - type: boolean - nullable: true - {} type: array - items: {} type: array - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' type: object Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: additionalProperties: false description: The response payload for the bulk create-or-update roles API. properties: created: items: description: The name of a role that was created. type: string type: array errors: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_roles_error_detail' type: object noop: items: description: The name of a role that was unchanged by the request. type: string type: array updated: items: description: The name of a role that was updated. type: string type: array title: security_bulk_create_or_update_roles_response type: object Kibana_HTTP_APIs_security_bulk_roles_error_detail: additionalProperties: false description: Error information for a single role in a bulk create-or-update request. properties: reason: description: A human readable error reason. type: string type: description: The error type. type: string required: - type - reason title: security_bulk_roles_error_detail type: object Kibana_HTTP_APIs_security_query_roles_body: additionalProperties: false description: The request body for querying roles. properties: filters: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_filters' from: type: number query: type: string size: type: number sort: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_sort' title: security_query_roles_body type: object required: [] Kibana_HTTP_APIs_security_query_roles_filters: additionalProperties: false description: The filter criteria for the query. properties: showReservedRoles: type: boolean title: security_query_roles_filters type: object x-oas-optional: true Kibana_HTTP_APIs_security_query_roles_response: additionalProperties: false description: The response payload for a roles query. properties: count: description: The number of roles returned in this response page. type: number roles: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' type: array total: description: The total number of roles that match the query. type: number required: - roles - count - total title: security_query_roles_response type: object Kibana_HTTP_APIs_security_query_roles_sort: additionalProperties: false description: The sort criteria for the query. properties: direction: enum: - asc - desc type: string field: type: string required: - field - direction title: security_query_roles_sort type: object x-oas-optional: true Kibana_HTTP_APIs_security_role_elasticsearch: additionalProperties: false description: The Elasticsearch cluster, index, and remote cluster security privileges for the role. properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string maxItems: 100 type: array indices: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_indices_privileges' maxItems: 1000 type: array remote_cluster: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_cluster_privileges' maxItems: 100 type: array remote_indices: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_indices_privileges' maxItems: 1000 type: array run_as: items: description: A username that members of this role can impersonate. type: string maxItems: 100 type: array title: security_role_elasticsearch type: object Kibana_HTTP_APIs_security_role_indices_privileges: additionalProperties: false description: The indices privileges entry. properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string maxItems: 100 minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges title: security_role_indices_privileges type: object Kibana_HTTP_APIs_security_role_kibana_application: additionalProperties: false description: A raw Elasticsearch application privilege entry tied to Kibana. properties: application: type: string privileges: items: type: string type: array resources: items: type: string type: array required: - application - privileges - resources title: security_role_kibana_application type: object Kibana_HTTP_APIs_security_role_kibana_privilege: additionalProperties: false description: The Kibana privilege entry for the role. properties: base: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - items: description: A base privilege that grants applies to all spaces. type: string maxItems: 50 type: array - items: description: A base privilege that applies to specific spaces. type: string maxItems: 50 type: array feature: additionalProperties: items: description: The privileges that the role member has for the feature. type: string maxItems: 100 type: array type: object spaces: anyOf: - items: enum: - '*' type: string maxItems: 1 minItems: 1 type: array - items: description: A space that the privilege applies to. type: string maxItems: 1000 type: array default: - '*' required: - base title: security_role_kibana_privilege type: object Kibana_HTTP_APIs_security_role_kibana_privilege_response: additionalProperties: false description: A Kibana privilege entry returned for a role. properties: _reserved: items: description: A reserved Kibana privilege granted globally. type: string type: array base: items: description: A base Kibana privilege. type: string type: array feature: additionalProperties: items: description: A privilege the role member has for the feature. type: string type: array type: object spaces: items: description: A space that the privilege applies to. The wildcard `*` indicates all spaces. type: string type: array required: - spaces - base - feature title: security_role_kibana_privilege_response type: object Kibana_HTTP_APIs_security_role_put_payload: additionalProperties: false description: The role definition to create or update. properties: description: description: A description for the role. maxLength: 2048 type: string elasticsearch: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' kibana: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege' type: array metadata: additionalProperties: nullable: true type: object required: - elasticsearch title: security_role_put_payload type: object Kibana_HTTP_APIs_security_role_remote_cluster_privileges: additionalProperties: false description: The remote cluster privileges entry. properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string maxItems: 100 minItems: 1 type: array required: - privileges - clusters title: security_role_remote_cluster_privileges type: object Kibana_HTTP_APIs_security_role_remote_indices_privileges: additionalProperties: false description: The remote indices privileges entry. properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string maxItems: 100 minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string maxItems: 1000 type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string maxItems: 100 minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string maxItems: 100 minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges title: security_role_remote_indices_privileges type: object Kibana_HTTP_APIs_security_role_response: additionalProperties: false description: A Kibana role definition returned by the Roles API. properties: _transform_error: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_transform_error' type: array _unrecognized_applications: items: description: Application names found on the role that are not recognized by Kibana. type: string type: array description: description: A description for the role. type: string elasticsearch: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' kibana: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege_response' type: array metadata: additionalProperties: nullable: true type: object name: description: The role name. type: string transient_metadata: additionalProperties: nullable: true type: object required: - name - elasticsearch - kibana title: security_role_response type: object Kibana_HTTP_APIs_security_role_transform_error: additionalProperties: false description: Diagnostic information about a role whose Kibana privileges could not be transformed. properties: reason: description: The reason the role could not be fully transformed. type: string state: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_application' type: array required: - reason title: security_role_transform_error type: object Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload: additionalProperties: false description: The request body for bulk creating or updating roles. properties: roles: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' type: object required: - roles title: security_roles_bulk_create_or_update_payload type: object Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. properties: dependencies: items: additionalProperties: false type: object properties: actionGroupsToSuppressOn: items: type: string type: array ruleId: type: string required: - ruleId - actionGroupsToSuppressOn type: array sloId: type: string windows: items: additionalProperties: false type: object properties: actionGroup: type: string burnRateThreshold: type: number id: type: string longWindow: additionalProperties: false type: object properties: unit: type: string value: type: number required: - value - unit maxBurnRateThreshold: nullable: true type: number shortWindow: additionalProperties: false type: object properties: unit: type: string value: type: number required: - value - unit required: - id - burnRateThreshold - maxBurnRateThreshold - longWindow - shortWindow - actionGroup type: array required: - sloId - windows title: SLO Burn Rate Rule Params type: object rule_type_id: enum: - slo.rules.burnRate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: SLO burn rate type: object Kibana_HTTP_APIs_StreamlangConditionBlock: additionalProperties: false type: object properties: condition: $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' customIdentifier: type: string required: - condition Kibana_HTTP_APIs_StreamlangStep: anyOf: - anyOf: - additionalProperties: false description: Grok processor - Extract fields from text using grok patterns type: object properties: action: enum: - grok type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to parse with grok patterns minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: description: Grok patterns applied in order to extract fields items: description: A non-empty string. minLength: 1 type: string minItems: 1 type: array where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - patterns - additionalProperties: false description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser type: object properties: action: enum: - dissect type: string append_separator: description: Separator inserted when target fields are concatenated minLength: 1 type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to parse with dissect pattern minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean pattern: description: Dissect pattern describing field boundaries minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - pattern - additionalProperties: false description: Date processor - Parse dates from strings using one or more expected formats type: object properties: action: enum: - date type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string formats: description: Accepted input date formats, tried in order items: description: A non-empty string. minLength: 1 type: string type: array from: description: Source field containing the date/time text minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean locale: description: Optional locale for date parsing minLength: 1 type: string output_format: description: Optional output format for storing the parsed date as text minLength: 1 type: string timezone: description: Optional timezone for date parsing minLength: 1 type: string to: description: Target field for the parsed date (defaults to source) minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - formats - additionalProperties: false type: object properties: action: enum: - drop_document type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - additionalProperties: false type: object properties: action: enum: - math type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string expression: description: A non-empty string. minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - expression - to - additionalProperties: false description: Rename processor - Change a field name and optionally its location type: object properties: action: enum: - rename type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Existing source field to rename or move minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip when source field is missing type: boolean override: description: Allow overwriting the target field if it already exists type: boolean to: description: New field name or destination path minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - to - additionalProperties: false description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) type: object properties: action: enum: - set type: string copy_from: description: Copy value from another field instead of providing a literal minLength: 1 type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean override: description: Allow overwriting an existing target field type: boolean to: description: Target field to set or create minLength: 1 type: string value: description: Literal value to assign to the target field where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - to - additionalProperties: false description: Append processor - Append one or more values to an existing or new array field type: object properties: action: enum: - append type: string allow_duplicates: description: If true, do not deduplicate appended values type: boolean customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean to: description: Array field to append values to minLength: 1 type: string value: description: Values to append (must be literal, no templates) items: {} minItems: 1 type: array where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - to - value - additionalProperties: false description: Remove by prefix processor - Remove a field and all nested fields matching the prefix type: object properties: action: enum: - remove_by_prefix type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Field to remove along with all its nested fields minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean required: - action - from - additionalProperties: false description: Remove processor - Delete one or more fields from the document type: object properties: action: enum: - remove type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Field to remove from the document minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - replace type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean pattern: minLength: 1 type: string replacement: type: string to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - pattern - replacement - additionalProperties: false description: Redact processor - Mask sensitive data using Grok patterns type: object properties: action: enum: - redact type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to redact sensitive data from minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing (defaults to true) type: boolean pattern_definitions: additionalProperties: type: string description: Custom pattern definitions to use in the patterns type: object patterns: description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") items: description: A non-empty string. minLength: 1 type: string minItems: 1 type: array prefix: description: Prefix to prepend to the redacted pattern name (defaults to "<") type: string suffix: description: Suffix to append to the redacted pattern name (defaults to ">") type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - patterns - additionalProperties: false type: object properties: action: enum: - uppercase type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - lowercase type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - trim type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false type: object properties: action: enum: - join type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string delimiter: type: string description: description: Human-readable notes about this processor step type: string from: items: minLength: 1 type: string minItems: 1 type: array ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - delimiter - to - additionalProperties: false description: Split processor - Split a field value into an array using a separator type: object properties: action: enum: - split type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to split into an array minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean preserve_trailing: description: Preserve empty trailing fields in the split result type: boolean separator: description: Regex separator used to split the field value into an array minLength: 1 type: string to: description: Target field for the split array (defaults to source) minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - separator - additionalProperties: false type: object properties: action: enum: - sort type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Array field to sort minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean order: description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" enum: - asc - desc type: string to: description: Target field for the sorted array (defaults to source) minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - additionalProperties: false description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) type: object properties: action: enum: - convert type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: description: Source field to convert to a different data type minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean to: description: Target field for the converted value (defaults to source) minLength: 1 type: string type: description: 'Target data type: integer, long, double, boolean, or string' enum: - integer - long - double - boolean - string type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - type - additionalProperties: false type: object properties: action: enum: - concat type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string from: items: anyOf: - type: object properties: type: enum: - field type: string value: minLength: 1 type: string required: - type - value - type: object properties: type: enum: - literal type: string value: type: string required: - type - value minItems: 1 type: array ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - from - to - allOf: - additionalProperties: false type: object properties: action: enum: - network_direction type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string destination_ip: minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean source_ip: minLength: 1 type: string target_field: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - source_ip - destination_ip - anyOf: - additionalProperties: false type: object properties: internal_networks: items: type: string type: array required: - internal_networks - additionalProperties: false type: object properties: internal_networks_field: minLength: 1 type: string required: - internal_networks_field - additionalProperties: false description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors type: object properties: action: enum: - json_extract type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string extractions: description: List of extraction specifications items: description: A single extraction specification type: object properties: selector: description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") minLength: 1 type: string target_field: description: Target field to store the extracted value minLength: 1 type: string type: description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. enum: - keyword - integer - long - double - boolean type: string required: - selector - target_field minItems: 1 type: array field: description: Source field containing the JSON string to parse minLength: 1 type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: description: Skip processing when source field is missing type: boolean where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - field - extractions - additionalProperties: false type: object properties: action: enum: - enrich type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean ignore_missing: type: boolean override: type: boolean policy_name: description: A non-empty string. minLength: 1 type: string to: minLength: 1 type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - policy_name - to - additionalProperties: false description: Manual ingest pipeline wrapper around native Elasticsearch processors type: object properties: action: description: Manual ingest pipeline - executes raw Elasticsearch ingest processors enum: - manual_ingest_pipeline type: string customIdentifier: description: Custom identifier to correlate this processor across outputs minLength: 1 type: string description: description: Human-readable notes about this processor step type: string ignore_failure: description: Continue pipeline execution if this processor fails type: boolean on_failure: description: Fallback processors to run when a processor fails items: additionalProperties: {} type: object type: array processors: description: List of raw Elasticsearch ingest processors to run items: additionalProperties: {} type: object type: array tag: description: Optional ingest processor tag for Elasticsearch type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' description: Conditional expression controlling whether this processor runs required: - action - processors - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' Kibana_HTTP_APIs_StreamUpsertRequest: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. properties: excludeTransforms: default: [] items: type: string nullable: true type: array includeTransforms: items: type: string type: array testsConfig: additionalProperties: false nullable: true type: object properties: errorMessages: additionalProperties: false nullable: true type: object properties: enabled: default: false type: boolean healthCheck: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean notStarted: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean required: - notStarted - errorMessages - healthCheck required: - includeTransforms - testsConfig title: Transform Health Rule Params type: object rule_type_id: enum: - transform_health type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Transform health type: object Kibana_HTTP_APIs_update_output_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true type: enum: - elasticsearch type: string write_to_logs_streams: nullable: true type: boolean title: update_output_elasticsearch type: object Kibana_HTTP_APIs_update_output_kafka: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: nullable: true type: number config_yaml: nullable: true type: string connection_type: enum: - plaintext - encryption type: string hash: additionalProperties: false type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value maxItems: 100 type: array hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string partition: enum: - random - round_robin - hash type: string password: nullable: true type: string proxy_id: nullable: true type: string random: additionalProperties: false type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: false type: object properties: group_events: type: number sasl: additionalProperties: false nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: false type: object properties: password: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string required: - key shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true timeout: type: number topic: type: string type: enum: - kafka type: string username: nullable: true type: string version: type: string required: - name title: update_output_kafka type: object Kibana_HTTP_APIs_update_output_logstash: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true type: enum: - logstash type: string title: update_output_logstash type: object Kibana_HTTP_APIs_update_output_remote_elasticsearch: additionalProperties: false properties: allow_edit: items: type: string maxItems: 1000 type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string maxItems: 10 minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string otel_disable_beatsauth: nullable: true type: boolean otel_exporter_config_yaml: nullable: true type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: service_token: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: hash: type: string id: type: string required: - id - type: string service_token: nullable: true type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true ssl: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string write_to_logs_streams: nullable: true type: boolean title: update_output_remote_elasticsearch type: object Kibana_HTTP_APIs_WiredStreamUpsertRequest: additionalProperties: false type: object properties: dashboards: items: type: string type: array queries: items: type: object properties: description: type: string esql: type: object properties: query: type: string required: - query evidence: items: type: string type: array id: description: A non-empty string. minLength: 1 type: string severity_score: type: number title: description: A non-empty string. minLength: 1 type: string type: default: match enum: - match - stats type: string required: - id - title - description - esql type: array rules: items: type: string type: array stream: additionalProperties: false type: object properties: description: type: string ingest: additionalProperties: false type: object properties: failure_store: $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' lifecycle: $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' processing: additionalProperties: false type: object properties: steps: items: $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array updated_at: {} required: - steps settings: additionalProperties: false type: object properties: index.number_of_replicas: additionalProperties: false type: object properties: value: type: number required: - value index.number_of_shards: additionalProperties: false type: object properties: value: type: number required: - value index.refresh_interval: additionalProperties: false type: object properties: value: anyOf: - type: string - enum: - -1 type: number required: - value wired: additionalProperties: false type: object properties: draft: type: boolean fields: $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' routing: items: type: object properties: destination: description: A non-empty string. minLength: 1 type: string draft: type: boolean status: enum: - enabled - disabled type: string where: $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' required: - destination - where type: array required: - fields - routing required: - lifecycle - processing - settings - failure_store - wired query_streams: items: type: object properties: name: type: string required: - name type: array type: enum: - wired type: string required: - description - ingest - type required: - dashboards - rules - queries - stream Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. properties: includeInterim: default: true type: boolean jobSelection: additionalProperties: false type: object properties: groupIds: default: [] items: type: string type: array jobIds: default: [] items: type: string type: array kqlQueryString: nullable: true type: string lookbackInterval: nullable: true type: string resultType: enum: - record - bucket - influencer type: string severity: maximum: 100 minimum: 0 type: number topNBuckets: minimum: 1 nullable: true type: number required: - jobSelection - severity - resultType - lookbackInterval - topNBuckets - kqlQueryString title: Anomaly Detection Rule Params type: object rule_type_id: enum: - xpack.ml.anomaly_detection_alert type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Anomaly detection type: object Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. properties: excludeJobs: additionalProperties: false nullable: true type: object properties: groupIds: default: [] items: type: string type: array jobIds: default: [] items: type: string type: array includeJobs: additionalProperties: false type: object properties: groupIds: default: [] items: type: string type: array jobIds: default: [] items: type: string type: array testsConfig: additionalProperties: false nullable: true type: object properties: behindRealtime: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean timeInterval: nullable: true type: string required: - timeInterval datafeed: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean delayedData: additionalProperties: false nullable: true type: object properties: docsCount: minimum: 1 nullable: true type: number enabled: default: true type: boolean timeInterval: nullable: true type: string required: - docsCount - timeInterval errorMessages: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean mml: additionalProperties: false nullable: true type: object properties: enabled: default: true type: boolean required: - datafeed - mml - delayedData - behindRealtime - errorMessages required: - includeJobs - excludeJobs - testsConfig title: Anomaly Detection Jobs Health Rule Params type: object rule_type_id: enum: - xpack.ml.anomaly_detection_jobs_health type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Anomaly detection jobs health type: object Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. properties: condition: additionalProperties: false type: object properties: alertOnNoData: type: boolean downThreshold: type: number groupBy: type: string includeRetests: type: boolean locationsThreshold: type: number recoveryStrategy: enum: - firstUp - conditionNotMet type: string window: anyOf: - additionalProperties: false type: object properties: time: additionalProperties: false type: object properties: size: default: 5 type: number unit: default: m enum: - s - m - h - d type: string required: - time - additionalProperties: false type: object properties: numberOfChecks: default: 5 maximum: 100 minimum: 1 type: number required: - window kqlQuery: type: string locations: items: type: string type: array monitorIds: items: type: string type: array monitorTypes: items: type: string type: array projects: items: type: string type: array tags: items: type: string type: array title: Synthetics Monitor Status Rule Params type: object rule_type_id: enum: - xpack.synthetics.alerts.monitorStatus type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Synthetics monitor status type: object Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. properties: certAgeThreshold: type: number certExpirationThreshold: type: number kqlQuery: type: string locations: items: type: string type: array monitorIds: items: type: string type: array monitorTypes: items: type: string type: array projects: items: type: string type: array search: type: string tags: items: type: string type: array title: Synthetics TLS Rule Params type: object rule_type_id: enum: - xpack.synthetics.alerts.tls type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Synthetics TLS type: object Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. properties: monitorId: type: string severity: type: number stackVersion: type: string required: - monitorId - severity title: Uptime Duration Anomaly Rule Params type: object rule_type_id: enum: - xpack.uptime.alerts.durationAnomaly type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Uptime duration anomaly type: object Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. properties: availability: additionalProperties: false type: object properties: range: type: number rangeUnit: type: string threshold: type: string required: - range - rangeUnit - threshold filters: anyOf: - additionalProperties: false type: object properties: monitor.type: items: type: string type: array observer.geo.name: items: type: string type: array tags: items: type: string type: array url.port: items: type: string type: array - type: string isAutoGenerated: type: boolean locations: items: type: string type: array numTimes: type: number search: type: string shouldCheckAvailability: type: boolean shouldCheckStatus: type: boolean stackVersion: type: string timerange: additionalProperties: false type: object properties: from: type: string to: type: string required: - from - to timerangeCount: type: number timerangeUnit: type: string version: type: number required: - numTimes - shouldCheckStatus - shouldCheckAvailability title: Uptime Monitor Status Rule Params type: object rule_type_id: enum: - xpack.uptime.alerts.monitorStatus type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Uptime monitor status type: object Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: additionalProperties: false properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" nullable: true type: object query: additionalProperties: description: A query for the filter. nullable: true type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: nullable: true default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 10000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: enabled: description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. type: boolean look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: false description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. properties: certAgeThreshold: type: number certExpirationThreshold: type: number search: type: string stackVersion: type: string title: Uptime TLS Rule Params type: object rule_type_id: enum: - xpack.uptime.alerts.tlsCertificate type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - consumer - schedule - rule_type_id - params title: Uptime TLS certificate type: object Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: properties: error: example: Unauthorized type: string message: type: string statusCode: example: 401 type: integer title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object Machine_learning_APIs_mlSyncResponseSuccess: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for trained models type: object Observability_AI_Assistant_API_Function: type: object properties: description: description: The description of the function. type: string name: description: The name of the function. type: string parameters: description: The parameters of the function. type: object Observability_AI_Assistant_API_FunctionCall: description: Details of the function call within the message. type: object properties: arguments: description: The arguments for the function call. type: string name: description: The name of the function. type: string trigger: description: The trigger of the function call. enum: - assistant - user - elastic type: string required: - name - trigger Observability_AI_Assistant_API_Instruction: oneOf: - description: A simple instruction represented as a string. type: string - description: A detailed instruction with an ID and text. type: object properties: id: description: A unique identifier for the instruction. type: string text: description: The text of the instruction. type: string required: - id - text Observability_AI_Assistant_API_Message: name: Message type: object properties: '@timestamp': description: The timestamp when the message was created. type: string message: description: The main content of the message. type: object properties: content: description: The content of the message. type: string data: description: Additional data associated with the message. type: string event: description: The event related to the message. type: string function_call: $ref: '#/components/schemas/Observability_AI_Assistant_API_FunctionCall' name: description: The name associated with the message. type: string role: $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' required: - role required: - '@timestamp' - message Observability_AI_Assistant_API_MessageRoleEnum: description: The role of the message sender. enum: - system - assistant - function - user - elastic type: string Security_AI_Assistant_API_AnonymizationFieldCreateProps: type: object properties: allowed: description: Whether this field is allowed to be sent to the model. example: true type: boolean anonymized: description: Whether this field should be anonymized. example: false type: boolean field: description: Name of the anonymization field to create. example: host.name type: string required: - field Security_AI_Assistant_API_AnonymizationFieldDetailsInError: type: object properties: id: description: The ID of the anonymization field. example: field12 type: string name: description: Name of the anonymization field. example: host.name type: string required: - id Security_AI_Assistant_API_AnonymizationFieldResponse: type: object properties: allowed: description: Whether this field is allowed to be sent to the model. example: true type: boolean anonymized: description: Whether this field should be anonymized. example: false type: boolean createdAt: description: Timestamp of when the anonymization field was created. example: '2023-10-31T12:00:00Z' type: string createdBy: description: Username of the person who created the anonymization field. example: user1 type: string field: description: Name of the anonymization field. example: url.domain type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' description: The ID of the anonymization field. namespace: description: Kibana space in which this anonymization field exists. example: default type: string timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' description: Timestamp when the anonymization field was initially created. updatedAt: description: Timestamp of the last update. example: '2023-10-31T12:00:00Z' type: string updatedBy: description: Username of the person who last updated the field. example: user1 type: string required: - id - field Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: description: Reason why the anonymization field was not modified. enum: - ANONYMIZATION_FIELD_NOT_MODIFIED type: string Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: type: object properties: id: description: The ID of the anonymization field that was not modified. example: field4 type: string name: description: Name of the anonymization field that was not modified. example: user.name type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' description: Reason why the anonymization field was not modified. required: - id - skip_reason Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: type: object properties: anonymization_fields_count: description: Total number of anonymization fields processed. example: 5 type: integer attributes: type: object properties: errors: description: List of errors that occurred during the bulk operation. items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary message: description: Message providing information about the bulk action result. example: Bulk action completed successfully type: string status_code: description: HTTP status code returned. example: 200 type: integer success: description: Indicates if the bulk action was successful. example: true type: boolean required: - attributes Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: type: object properties: created: description: List of anonymization fields successfully created. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: description: Array of IDs of anonymization fields that were deleted. example: field3 type: string type: array skipped: description: List of anonymization fields that were skipped during the operation. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: description: List of anonymization fields successfully updated. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_AnonymizationFieldUpdateProps: type: object properties: allowed: description: Whether this field is allowed to be sent to the model. example: true type: boolean anonymized: description: Whether this field should be anonymized. example: false type: boolean id: description: The ID of the anonymization field to update. example: field8 type: string required: - id Security_AI_Assistant_API_ApiConfig: type: object properties: actionTypeId: description: Action type ID example: actionType456 type: string connectorId: description: Connector ID example: connector123 type: string defaultSystemPromptId: description: Default system prompt ID example: systemPrompt001 type: string model: description: Model example: gpt-4 type: string provider: $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' description: Provider example: OpenAI required: - connectorId - actionTypeId Security_AI_Assistant_API_BaseContentReference: description: The basis of a content reference type: object properties: id: description: Id of the content reference example: content123 type: string type: description: Type of the content reference example: SecurityAlert type: string required: - id - type Security_AI_Assistant_API_BaseInterruptResumeValue: description: The basis of an interrupt resume value type: object properties: type: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' description: Type of the resume value example: SELECT_OPTION required: - type Security_AI_Assistant_API_BaseInterruptValue: description: The basis of an agent interrupt type: object properties: expired: description: Whether the interrupt has expired and can no longer be resumed. example: false type: boolean threadId: description: Thread ID of the graph execution that produced this message. example: type: string type: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' description: Type of the interrupt example: SELECT_OPTION required: - type - threadId Security_AI_Assistant_API_BulkCrudActionSummary: type: object properties: failed: description: The number of failed actions. example: 0 type: integer skipped: description: The number of skipped actions. example: 1 type: integer succeeded: description: The number of successfully performed actions. example: 10 type: integer total: description: The total number of actions attempted. example: 12 type: integer required: - failed - skipped - succeeded - total Security_AI_Assistant_API_ChatCompleteProps: description: The request payload for creating a chat completion. example: connectorId: conn-001 conversationId: abc123 isStream: true langSmithApiKey: langSmithProject: security_ai_project messages: - content: How do I detect ransomware on my endpoints? data: device_id: device-567 fields_to_anonymize: - device.name - file.path role: user model: gpt-4 persist: true promptId: prompt_456 responseLanguage: en type: object properties: connectorId: description: Required connector identifier to route the request. example: conn-001 type: string conversationId: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' description: Existing conversation ID to continue. isStream: description: If true, the response will be streamed in chunks. example: true type: boolean langSmithApiKey: description: API key for LangSmith integration. example: type: string langSmithProject: description: LangSmith project name for tracing. example: security_ai_project type: string messages: description: List of chat messages exchanged so far. items: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' type: array model: description: Model ID or name to use for the response. example: gpt-4 type: string persist: description: Whether to persist the chat and response to storage. example: true type: boolean promptId: description: Prompt template identifier. example: prompt_001 type: string responseLanguage: description: ISO language code for the assistant's response. example: en type: string required: - messages - persist - connectorId Security_AI_Assistant_API_ChatMessage: description: A message exchanged within the AI chat conversation. type: object properties: content: description: The textual content of the message. example: What security incidents have been reported today? type: string data: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: description: List of field names within the data object that should be anonymized. example: - user.name - source.ip items: type: string type: array role: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' description: The sender role of the message. required: - role Security_AI_Assistant_API_ChatMessageRole: description: The role associated with the message in the chat. enum: - system - user - assistant example: user type: string Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' additionalProperties: false description: A union of all content reference types type: object Security_AI_Assistant_API_ConversationCategory: description: The conversation category. enum: - assistant - insights example: assistant type: string Security_AI_Assistant_API_ConversationCreateProps: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. example: assistant excludeFromLastConversationStorage: description: Exclude from last conversation storage. type: boolean id: description: The conversation id. example: conversation123 type: string messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' title: description: The conversation title. example: Security AI Assistant Setup type: string required: - title Security_AI_Assistant_API_ConversationResponse: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. example: assistant createdAt: description: The time conversation was created. example: '2025-04-30T14:00:00Z' type: string createdBy: $ref: '#/components/schemas/Security_AI_Assistant_API_User' description: The user who created the conversation. excludeFromLastConversationStorage: description: Exclude from last conversation storage. type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array namespace: description: Kibana space example: default type: string replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' title: description: The conversation title. example: Security AI Assistant Setup type: string updatedAt: description: The last time conversation was updated. example: '2025-04-30T16:30:00Z' type: string users: items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - title - createdAt - createdBy - users - namespace - category Security_AI_Assistant_API_ConversationUpdateProps: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. example: assistant excludeFromLastConversationStorage: description: Exclude from last conversation storage. type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' title: description: The conversation title. example: Updated Security AI Assistant Setup type: string users: items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id Security_AI_Assistant_API_DeleteResponseFields: type: object properties: id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' required: - id Security_AI_Assistant_API_DocumentEntry: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - namespace - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: required: description: Whether this resource should always be included, defaults to false. example: false type: boolean vector: $ref: '#/components/schemas/Security_AI_Assistant_API_Vector' Security_AI_Assistant_API_DocumentEntryRequiredFields: type: object properties: kbResource: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource' source: description: Source document name or filepath. example: /documents/example.txt type: string text: description: Knowledge Base Entry content. example: This is the content of the document. type: string type: description: Entry type. enum: - document example: document type: string required: - type - kbResource - source - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: label: description: Label of the query example: High Severity Alerts type: string query: description: An ESQL query example: SELECT * FROM alerts WHERE severity = "high" type: string timerange: description: Time range to select in the time picker. type: object properties: from: example: '2025-04-01T00:00:00Z' type: string to: example: '2025-04-30T23:59:59Z' type: string required: - from - to type: enum: - EsqlQuery example: EsqlQuery type: string required: - type - query - label description: References an ESQL query Security_AI_Assistant_API_FindAnonymizationFieldsSortField: enum: - created_at - anonymized - allowed - field - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. enum: - created_at - title - updated_at example: created_at type: string Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField: description: Fields available for sorting Knowledge Base Entries. enum: - created_at - is_default - title - updated_at example: title type: string Security_AI_Assistant_API_FindPromptsSortField: description: Field by which to sort the prompts. enum: - created_at - is_default - name - updated_at example: created_at type: string Security_AI_Assistant_API_HrefContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: href: description: URL to the external resource type: string label: description: Label of the query type: string type: enum: - Href type: string required: - type - href description: References an external URL Security_AI_Assistant_API_IndexEntry: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - namespace - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: description: Fields to extract from the query result, defaults to all fields if not provided or empty. example: - title - author items: type: string type: array Security_AI_Assistant_API_IndexEntryRequiredFields: type: object properties: description: description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: description: Field to query for Knowledge Base content. example: content type: string index: description: Index or Data Stream to query for Knowledge Base content. example: knowledge_base_index type: string queryDescription: description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: description: Entry type. enum: - index example: index type: string required: - type - index - field - description - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. items: type: object properties: description: description: Description of the field. example: The title of the document. type: string fieldName: description: Name of the field. example: title type: string fieldType: description: Type of the field. example: string type: string required: - fieldName - fieldType - description type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: enum: - INPUT_TEXT example: INPUT_TEXT type: string value: description: Text value used to resume the graph execution with. example: .logs* type: string required: - value - type description: A resume value for input text Security_AI_Assistant_API_InputTextInterruptValue: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue' - type: object properties: description: description: Description of action required example: What is the index you would like to use for the query. type: string placeholder: description: Placeholder text for the input field example: Enter index pattern here... type: string type: enum: - INPUT_TEXT example: INPUT_TEXT type: string required: - type description: Interrupt that requests user to provide text input Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' additionalProperties: false - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt enum: - SELECT_OPTION - INPUT_TEXT type: string Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' additionalProperties: false - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. enum: - KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED type: string Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult: type: object properties: id: description: ID of the skipped Knowledge Base Entry. example: '123' type: string name: description: Name of the skipped Knowledge Base Entry. example: Skipped Entry type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse: type: object properties: attributes: type: object properties: errors: description: List of errors encountered during the bulk action. example: - err_code: UPDATE_FAILED knowledgeBaseEntries: - id: '456' name: Error Entry message: Failed to update entry. statusCode: 400 items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary knowledgeBaseEntriesCount: description: Total number of Knowledge Base Entries processed. example: 8 type: integer message: description: Message describing the result of the bulk action. example: Bulk action completed successfully. type: string statusCode: description: HTTP status code of the response. example: 200 type: integer success: description: Indicates whether the bulk action was successful. example: true type: boolean required: - attributes Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults: type: object properties: created: description: List of Knowledge Base Entries that were successfully created. example: - id: '456' kbResource: user name: New Entry source: manual text: This is the content of the new entry. type: document items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: description: List of IDs of Knowledge Base Entries that were successfully deleted. example: - '789' items: type: string type: array skipped: description: List of Knowledge Base Entries that were skipped during the bulk action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: description: List of Knowledge Base Entries that were successfully updated. example: - id: '123' kbResource: user name: Updated Entry source: manual text: Updated content. type: document items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary: type: object properties: failed: description: Number of Knowledge Base Entries that failed during the bulk action. example: 2 type: integer skipped: description: Number of Knowledge Base Entries that were skipped during the bulk action. example: 1 type: integer succeeded: description: Number of Knowledge Base Entries that were successfully processed during the bulk action. example: 5 type: integer total: description: Total number of Knowledge Base Entries involved in the bulk action. example: 8 type: integer required: - failed - skipped - succeeded - total Security_AI_Assistant_API_KnowledgeBaseEntryContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: knowledgeBaseEntryId: description: Id of the Knowledge Base Entry example: kbentry456 type: string knowledgeBaseEntryName: description: Name of the knowledge base entry example: Network Security Best Practices type: string type: enum: - KnowledgeBaseEntry example: KnowledgeBaseEntry type: string required: - type - knowledgeBaseEntryId - knowledgeBaseEntryName description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object properties: id: description: ID of the Knowledge Base Entry that encountered an error. example: '456' type: string name: description: Name of the Knowledge Base Entry that encountered an error. example: Error Entry type: string required: - id Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema: additionalProperties: false type: object properties: error: description: Error type or category. example: Not Found type: string message: description: Detailed error message. example: The requested Knowledge Base Entry was not found. type: string statusCode: description: HTTP status code of the error. example: 404 type: number required: - statusCode - error - message Security_AI_Assistant_API_KnowledgeBaseEntryResponse: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' discriminator: mapping: document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' index: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: mapping: document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: description: Indicates if Defend Insights documentation exists in the KnowledgeBase. example: true type: boolean elser_exists: description: Indicates if the ELSER model exists for the KnowledgeBase. example: true type: boolean is_setup_available: description: Indicates if the setup process is available for the KnowledgeBase. example: true type: boolean is_setup_in_progress: description: Indicates if the setup process is currently in progress. example: false type: boolean product_documentation_status: description: The status of the product documentation in the KnowledgeBase. example: complete type: string security_labs_exists: description: Indicates if Security Labs documentation exists in the KnowledgeBase. example: true type: boolean user_data_exists: description: Indicates if user data exists in the KnowledgeBase. example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. enum: - security_labs - defend_insights - user example: security_labs type: string Security_AI_Assistant_API_KnowledgeBaseResponse: description: AI assistant KnowledgeBase. type: object properties: success: description: Identify the success of the method execution. example: true type: boolean Security_AI_Assistant_API_KnowledgeBaseResponse400: type: object properties: error: description: A short description of the error. example: Bad Request type: string message: description: A detailed error message. example: Invalid resource ID provided. type: string statusCode: description: The HTTP status code of the error. example: 400 type: number Security_AI_Assistant_API_Message: description: AI assistant conversation message. type: object properties: content: description: Message content. example: Hello, how can I assist you today? type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' description: Message id isError: description: Is error message. example: false type: boolean metadata: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageMetadata' description: Metadata reader: $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' description: Message content. refusal: description: Refusal reason returned by the model when content is filtered. type: string role: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' description: Message role. example: assistant timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' description: The timestamp message was sent or received. example: '2025-04-30T15:30:00Z' traceData: $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' description: Trace data user: $ref: '#/components/schemas/Security_AI_Assistant_API_User' description: The user who sent the message. required: - timestamp - content - role Security_AI_Assistant_API_MessageData: additionalProperties: true description: ECS-style metadata attached to the message. example: alert_id: alert-456 user_id: abc123 type: object Security_AI_Assistant_API_MessageMetadata: description: Message metadata type: object properties: contentReferences: $ref: '#/components/schemas/Security_AI_Assistant_API_ContentReferences' description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: - system - user - assistant example: assistant type: string Security_AI_Assistant_API_NonEmptyString: description: A string that does not contain only whitespace characters. example: I am a string format: nonempty minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 type: string Security_AI_Assistant_API_NormalizedAnonymizationFieldError: type: object properties: anonymization_fields: description: Array of anonymization fields that caused the error. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: description: Error code indicating the type of failure. example: UPDATE_FAILED type: string message: description: Error message. example: Failed to update anonymization field. type: string status_code: description: Status code of the response. example: 400 type: integer required: - message - status_code - anonymization_fields Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError: type: object properties: err_code: description: Specific error code for the issue. example: UPDATE_FAILED type: string knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: description: Error message describing the issue. example: Failed to update entry. type: string statusCode: description: HTTP status code associated with the error. example: 400 type: integer required: - message - statusCode - knowledgeBaseEntries Security_AI_Assistant_API_NormalizedPromptError: type: object properties: err_code: description: A code representing the error type. type: string message: description: A message describing the error encountered. type: string prompts: description: List of prompts that encountered errors. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: description: The HTTP status code associated with the error. type: integer required: - message - status_code - prompts Security_AI_Assistant_API_ProductDocumentationContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: title: description: Title of the documentation example: Getting Started with Security AI Assistant type: string type: enum: - ProductDocumentation example: ProductDocumentation type: string url: description: URL to the documentation example: https://docs.example.com/security-ai-assistant type: string required: - type - title - url description: References the product documentation Security_AI_Assistant_API_PromptCreateProps: type: object properties: categories: description: List of categories for the prompt. example: - security - verification items: type: string type: array color: description: The color associated with the prompt. example: blue type: string consumer: description: The consumer associated with the prompt. example: admin type: string content: description: The content of the prompt. example: Please verify the security settings. type: string isDefault: description: Whether this prompt should be the default. example: false type: boolean isNewConversationDefault: description: Whether this prompt should be the default for new conversations. example: true type: boolean name: description: The name of the prompt. example: New Security Prompt type: string promptType: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' description: The type of the prompt. example: system required: - name - content - promptType Security_AI_Assistant_API_PromptDetailsInError: type: object properties: id: description: The ID of the prompt that encountered an error. type: string name: description: The name of the prompt that encountered an error. type: string required: - id Security_AI_Assistant_API_PromptResponse: type: object properties: categories: description: Categories associated with the prompt. items: type: string type: array color: description: The color associated with the prompt. type: string consumer: description: The consumer that the prompt is associated with. type: string content: description: The content of the prompt. type: string createdAt: description: The timestamp of when the prompt was created. type: string createdBy: description: The user who created the prompt. type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' isDefault: description: Whether this prompt is the default. type: boolean isNewConversationDefault: description: Whether this prompt is the default for new conversations. type: boolean name: description: The name of the prompt. type: string namespace: description: Kibana space where the prompt is located. type: string promptType: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' description: The type of the prompt. timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' updatedAt: description: The timestamp of when the prompt was last updated. type: string updatedBy: description: The user who last updated the prompt. type: string users: description: List of users associated with the prompt. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - name - promptType - content Security_AI_Assistant_API_PromptsBulkActionSkipReason: description: Reason why a prompt was skipped during the bulk action. enum: - PROMPT_FIELD_NOT_MODIFIED type: string Security_AI_Assistant_API_PromptsBulkActionSkipResult: type: object properties: id: description: The ID of the prompt that was skipped. type: string name: description: The name of the prompt that was skipped. type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' description: The reason for skipping the prompt. required: - id - skip_reason Security_AI_Assistant_API_PromptsBulkCrudActionResponse: type: object properties: attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary message: description: A message describing the result of the bulk action. example: Bulk action completed successfully. type: string prompts_count: description: The number of prompts processed in the bulk action. example: 6 type: integer status_code: description: The HTTP status code of the response. example: 200 type: integer success: description: Indicates if the bulk action was successful. example: true type: boolean required: - attributes Security_AI_Assistant_API_PromptsBulkCrudActionResults: type: object properties: created: description: List of prompts that were created. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array deleted: description: List of IDs of prompts that were deleted. items: type: string type: array skipped: description: List of prompts that were skipped. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: description: List of prompts that were updated. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_PromptType: description: Type of the prompt (either system or quick). enum: - system - quick type: string Security_AI_Assistant_API_PromptUpdateProps: type: object properties: categories: description: The updated categories for the prompt. example: - security - alert items: type: string type: array color: description: The updated color associated with the prompt. example: green type: string consumer: description: The updated consumer for the prompt. example: user123 type: string content: description: The updated content for the prompt. example: Updated content for security prompt. type: string id: description: The ID of the prompt to update. example: prompt123 type: string isDefault: description: Whether this prompt should be the default. example: true type: boolean isNewConversationDefault: description: Whether the prompt should be the default for new conversations. example: false type: boolean required: - id Security_AI_Assistant_API_Provider: description: Provider enum: - OpenAI - Azure OpenAI - Other example: OpenAI type: string Security_AI_Assistant_API_Reader: additionalProperties: true type: object Security_AI_Assistant_API_Replacements: additionalProperties: type: string description: Replacements object used to anonymize/deanonymize messages type: object Security_AI_Assistant_API_ResponseFields: type: object properties: createdAt: description: Time the Knowledge Base Entry was created. example: '2023-01-01T12:00:00Z' type: string createdBy: description: User who created the Knowledge Base Entry. example: admin type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' updatedAt: description: Time the Knowledge Base Entry was last updated. example: '2023-01-02T12:00:00Z' type: string updatedBy: description: User who last updated the Knowledge Base Entry. example: editor type: string required: - id - createdAt - createdBy - updatedAt - updatedBy Security_AI_Assistant_API_SecurityAlertContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: alertId: description: ID of the Alert example: alert789 type: string type: enum: - SecurityAlert example: SecurityAlert type: string required: - type - alertId description: References a security alert Security_AI_Assistant_API_SecurityAlertsPageContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: type: enum: - SecurityAlertsPage example: SecurityAlertsPage type: string required: - type description: References the security alerts page Security_AI_Assistant_API_SelectOptionInterruptOption: description: A request approval option type: object properties: buttonColor: enum: - text - accent - accentSecondary - primary - success - warning - danger - neutral - risk example: danger type: string label: example: Option 1 type: string value: example: option_1 type: string required: - label - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: enum: - SELECT_OPTION example: SELECT_OPTION type: string value: description: The value of the selected option to resume the graph execution with example: option_1 type: string required: - value - type description: A request approval resume schema Security_AI_Assistant_API_SelectOptionInterruptValue: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue' - type: object properties: description: description: Description of action required example: Select one of the options type: string options: description: List of actions to choose from example: - label: Option 1 - label: Option 2 items: $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' type: array type: enum: - SELECT_OPTION example: SELECT_OPTION type: string required: - type - description - options description: Interrupt that requests user to select one of the provided options Security_AI_Assistant_API_SortOrder: description: The order in which results are sorted. enum: - asc - desc example: asc type: string Security_AI_Assistant_API_TraceData: description: Trace Data type: object properties: traceId: description: Could be any string, not necessarily a UUID example: d9876543-f0a1-2345-6789-abcdef123456 type: string transactionId: description: Could be any string, not necessarily a UUID example: a1234567-bc89-0def-1234-56789abcdef0 type: string Security_AI_Assistant_API_User: description: Could be any string, not necessarily a UUID. type: object properties: id: description: User id. example: user123 type: string name: description: User name. example: John Doe type: string Security_AI_Assistant_API_Vector: description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: modelId: description: ID of the model used to create the embeddings. example: bert-base-uncased type: string tokens: additionalProperties: type: number description: Tokens with their corresponding values. example: token1: 0.123 token2: 0.456 type: object required: - modelId - tokens Security_Attack_discovery_API_AnonymizationFieldResponse: type: object properties: allowed: description: Whether this field is allowed to be sent to the model. example: true type: boolean anonymized: description: Whether this field should be anonymized. example: false type: boolean createdAt: description: Timestamp of when the anonymization field was created. example: '2023-10-31T12:00:00Z' type: string createdBy: description: Username of the person who created the anonymization field. example: user1 type: string field: description: Name of the anonymization field. example: url.domain type: string id: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The ID of the anonymization field. namespace: description: Kibana space in which this anonymization field exists. example: default type: string timestamp: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' description: Timestamp when the anonymization field was initially created. updatedAt: description: Timestamp of the last update. example: '2023-10-31T12:00:00Z' type: string updatedBy: description: Username of the person who last updated the field. example: user1 type: string required: - id - field Security_Attack_discovery_API_ApiConfig: type: object properties: actionTypeId: description: Action type ID example: actionType456 type: string connectorId: description: Connector ID example: connector123 type: string defaultSystemPromptId: description: Default system prompt ID example: systemPrompt001 type: string model: description: Model example: gpt-4 type: string provider: $ref: '#/components/schemas/Security_Attack_discovery_API_Provider' description: Provider example: OpenAI required: - connectorId - actionTypeId Security_Attack_discovery_API_AttackDiscoveryApiAlert: description: An attack discovery that's also an alert (Public API with snake_case) type: object properties: alert_ids: description: The alert IDs that the attack discovery is based on items: type: string type: array alert_rule_uuid: description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created type: string alert_updated_at: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: description: The optional id of the user who last updated the attack discovery alert type: string alert_updated_by_user_name: description: The optional username of the user who updated the attack discovery alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: description: The optional time the attack discovery alert workflow status was last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack items: type: string type: array connector_id: description: The ID of the connector that generated the attack discovery type: string connector_name: description: The (human readable) name of the connector that generated the attack discovery type: string details_markdown: description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. type: string entity_summary_markdown: description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery type: string id: description: The unique ID of the attack discovery type: string index: description: The concrete Elasticsearch index where this attack discovery is stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery items: type: string type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' description: Key-value pairs that are used to replace placeholders in the markdown fields risk_score: description: The optional, (but typically populated after generation) risk score of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax type: string tags: description: The optional array of tags assigned the attack items: type: string type: array timestamp: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' description: The time the attack discovery was generated title: description: A title for the attack discovery, in plain text type: string user_id: description: The optional id of the user who generated the attack discovery type: string user_name: description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) type: string users: description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array required: - alert_ids - connector_id - connector_name - details_markdown - generation_uuid - id - summary_markdown - timestamp - title Security_Attack_discovery_API_AttackDiscoveryApiSchedule: description: An Attack Discovery schedule type: object properties: actions: description: The Attack Discovery schedule actions items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array created_at: description: The date the schedule was created format: date-time type: string created_by: description: The name of the user that created the schedule type: string enabled: description: Indicates whether the schedule is enabled type: boolean id: description: UUID of Attack Discovery schedule type: string last_execution: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated format: date-time type: string updated_by: description: The name of the user that updated the schedule type: string required: - id - name - created_by - updated_by - created_at - updated_at - enabled - params - schedule - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). type: object properties: notify_when: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' summary: description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' nullable: true required: - summary - notify_when - throttle Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup: description: Groups actions by use cases. Use `default` for alert notifications. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' enum: - onActiveAlert - onThrottleInterval - onActionGroupChange type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true description: Object containing the allowed connector fields, which varies according to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps: description: An Attack Discovery schedule create properties type: object properties: actions: description: The Attack Discovery schedule actions items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array enabled: description: Indicates whether the schedule is enabled type: boolean name: description: The name of the schedule type: string params: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name - params - schedule Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution: description: An Attack Discovery schedule execution information type: object properties: date: description: Date of the execution format: date-time type: string duration: description: Duration of the execution type: number message: type: string status: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' description: Status of the execution required: - date - status - last_duration Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus: description: An Attack Discovery schedule execution status enum: - ok - active - error - unknown - warning type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction: type: object properties: action_type_id: description: The action type used for sending notifications. type: string alerts_filter: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' frequency: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' group: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' id: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: - action_type_id - group - id - params Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams: description: An Attack Discovery schedule params type: object properties: alerts_index_pattern: description: The index pattern to get alerts from type: string api_config: allOf: - $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' - type: object properties: name: description: The name of the connector type: string required: - name description: LLM API configuration. combined_filter: additionalProperties: true type: object end: type: string filters: $ref: '#/components/schemas/Security_Attack_discovery_API_Filters' query: $ref: '#/components/schemas/Security_Attack_discovery_API_Query' size: type: number start: type: string required: - alerts_index_pattern - api_config - size Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction: type: object properties: action_type_id: description: The action type used for sending notifications. type: string id: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: - action_type_id - id - params Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps: description: An Attack Discovery schedule update properties type: object properties: actions: description: The Attack Discovery schedule actions items: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array name: description: The name of the schedule type: string params: $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name - params - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. enum: - '@timestamp' type: string Security_Attack_discovery_API_AttackDiscoveryGeneration: type: object properties: alerts_context_count: description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation type: number connector_id: description: The connector id (event.dataset) for this generation type: string connector_stats: description: Stats applicable to the connector for this generation type: object properties: average_successful_duration_nanoseconds: description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user type: number successful_generations: description: The number of successful generations for the same connector id, for the current user type: number discoveries: description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) type: string reason: description: Reason for failed generations (event.reason) type: string start: description: When generation started (min event.start) type: string status: description: The status of the attack discovery generation enum: - canceled - dismissed - failed - started - succeeded type: string required: - connector_id - discoveries - execution_uuid - loading_message - start - status Security_Attack_discovery_API_AttackDiscoveryGenerationConfig: type: object properties: alertsIndexPattern: description: | The (space specific) index pattern that contains the alerts to use as context for the attack discovery. Example: .alerts-security.alerts-default type: string anonymizationFields: description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. items: $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' description: LLM API configuration. connectorName: type: string end: type: string filter: additionalProperties: true description: |- An Elasticsearch-style query DSL object used to filter alerts. For example: ```json { "filter": { "bool": { "must": [], "filter": [ { "bool": { "should": [ { "term": { "user.name": { "value": "james" } } } ], "minimum_should_match": 1 } } ], "should": [], "must_not": [] } } } ``` type: object model: type: string replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' size: type: number start: type: string subAction: enum: - invokeAI - invokeStream type: string required: - apiConfig - alertsIndexPattern - anonymizationFields - size - subAction Security_Attack_discovery_API_AttackDiscoveryGenericError: description: Error response for Attack discovery schedule operations when the request is rejected. Uses `status_code` (snake_case), `error`, and `message` to match the implementation. type: object properties: error: description: Error type example: Bad Request type: string message: description: Human-readable error message describing what went wrong example: Invalid request parameters. type: string status_code: description: HTTP status code example: 400 type: number Security_Attack_discovery_API_Filters: description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: type: object properties: interval: description: The schedule interval type: string required: - interval Security_Attack_discovery_API_NonEmptyString: description: A string that does not contain only whitespace characters. example: I am a string format: nonempty minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 type: string Security_Attack_discovery_API_Provider: description: Provider enum: - OpenAI - Azure OpenAI - Other example: OpenAI type: string Security_Attack_discovery_API_Query: description: An query condition to filter alerts type: object properties: language: type: string query: oneOf: - type: string - additionalProperties: true type: object required: - query - language Security_Attack_discovery_API_Replacements: additionalProperties: type: string description: Replacements object used to anonymize/deanonymize messages type: object Security_Attack_discovery_API_SortOrder: description: The order in which results are sorted. enum: - asc - desc example: asc type: string Security_Attack_discovery_API_User: description: Could be any string, not necessarily a UUID. type: object properties: id: description: User id. example: user123 type: string name: description: User name. example: John Doe type: string Security_Detections_API_AlertAssignees: type: object properties: add: items: description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array required: - add - remove Security_Detections_API_AlertIds: description: A list of alerts `id`s. items: format: nonempty minLength: 1 type: string minItems: 1 type: array Security_Detections_API_AlertsIndex: deprecated: true description: (deprecated) Has no effect. type: string Security_Detections_API_AlertsIndexNamespace: description: Has no effect. type: string Security_Detections_API_AlertsSort: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: - type: string - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - acknowledged - in-progress type: string Security_Detections_API_AlertSuppression: description: Defines alert suppression configuration. type: object properties: duration: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer required: - value - unit Security_Detections_API_AlertSuppressionDurationUnit: description: Time unit enum: - s - m - h type: string Security_Detections_API_AlertSuppressionGroupBy: items: type: string maxItems: 3 minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: description: |- Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array Security_Detections_API_AnomalyThreshold: description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: description: | Determines if the rule acts as a building block. If yes, the value must be `default`. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: type: enum: - delete_alert_suppression type: string required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: description: | Edits index patterns of rulesClient. - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: description: Resets the data view for the rule. type: boolean type: enum: - add_index_patterns - delete_index_patterns - set_index_patterns type: string value: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' required: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: description: | Edits investigation fields of rules. - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: enum: - add_investigation_fields - delete_investigation_fields - set_investigation_fields type: string value: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' required: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: description: | Edits rule actions of rules. - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: enum: - add_rule_actions - set_rule_actions type: string value: type: object properties: actions: items: $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: description: | Overwrites schedule of rules. - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: enum: - set_schedule type: string value: type: object properties: interval: description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: description: | Lookback time for the rules. Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string required: - interval - lookback required: - type - value Security_Detections_API_BulkActionEditPayloadSetAlertSuppression: type: object properties: type: enum: - set_alert_suppression type: string value: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold: type: object properties: type: enum: - set_alert_suppression_for_threshold type: string value: $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadTags: description: | Edits tags of rules. - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: enum: - add_tags - delete_tags - set_tags type: string value: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' required: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: description: | Edits timeline of rules. - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: enum: - set_timeline type: string value: type: object properties: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title required: - type - value Security_Detections_API_BulkActionsDryRunErrCode: enum: - IMMUTABLE - PREBUILT_CUSTOMIZATION_LICENSE - MACHINE_LEARNING_AUTH - MACHINE_LEARNING_INDEX_PATTERN - ESQL_INDEX_PATTERN - MANUAL_RULE_RUN_FEATURE - MANUAL_RULE_RUN_DISABLED_RULE - THRESHOLD_RULE_TYPE_IN_SUPPRESSION - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD - RULE_FILL_GAPS_DISABLED_RULE - USER_INSUFFICIENT_RULE_PRIVILEGES type: string Security_Detections_API_BulkActionSkipResult: type: object properties: id: type: string name: type: string skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - skip_reason Security_Detections_API_BulkDeleteRules: type: object properties: action: enum: - delete type: string gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkDisableRules: type: object properties: action: enum: - disable type: string gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkDuplicateRules: type: object properties: action: enum: - duplicate type: string duplicate: description: Duplicate object that describes applying an update action. type: object properties: include_exceptions: description: Whether to copy exceptions from the original rule type: boolean include_expired_exceptions: description: Whether to copy expired exceptions from the original rule type: boolean required: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkEditActionResponse: type: object properties: attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary message: type: string rules_count: type: integer status_code: type: integer success: type: boolean required: - attributes Security_Detections_API_BulkEditActionResults: type: object properties: created: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array deleted: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array skipped: items: $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' type: array updated: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array required: - updated - created - deleted - skipped Security_Detections_API_BulkEditActionSummary: description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: type: integer skipped: type: integer succeeded: type: integer total: type: integer required: - failed - skipped - succeeded - total Security_Detections_API_BulkEditRules: type: object properties: action: enum: - edit type: string edit: description: Array of objects containing the edit operations items: $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' minItems: 1 type: array gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action - edit Security_Detections_API_BulkEditSkipReason: enum: - RULE_NOT_MODIFIED type: string Security_Detections_API_BulkEnableRules: type: object properties: action: enum: - enable type: string gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkExportActionResponse: type: string Security_Detections_API_BulkExportRules: type: object properties: action: enum: - export type: string gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkGapsFillingSkipReason: enum: - NO_GAPS_TO_FILL type: string Security_Detections_API_BulkManualRuleFillGaps: type: object properties: action: enum: - fill_gaps type: string fill_gaps: description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: end_date: description: End date of the manual gap fill type: string start_date: description: Start date of the manual gap fill type: string required: - start_date - end_date gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action - fill_gaps Security_Detections_API_BulkManualRuleRun: type: object properties: action: enum: - run type: string gap_auto_fill_scheduler_id: description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: | Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string run: description: Object that describes applying a manual rule run action. type: object properties: end_date: description: End date of the manual rule run type: string start_date: description: Start date of the manual rule run type: string required: - start_date - end_date required: - action - run Security_Detections_API_CloseAlertsByIds: type: object properties: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 type: string minItems: 1 type: array status: enum: - closed type: string required: - signal_ids - status Security_Detections_API_CloseAlertsByQuery: type: object properties: conflicts: default: abort enum: - abort - proceed type: string query: additionalProperties: true type: object reason: $ref: '#/components/schemas/Security_Detections_API_Reason' status: enum: - closed type: string required: - query - status Security_Detections_API_ConcurrentSearches: minimum: 1 type: integer Security_Detections_API_DataViewId: type: string Security_Detections_API_DefaultParams: type: object properties: command: enum: - isolate type: string comment: type: string required: - command Security_Detections_API_EcsMapping: additionalProperties: type: object properties: field: type: string value: oneOf: - type: string - items: type: string type: array description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object properties: action_type_id: enum: - .endpoint type: string params: oneOf: - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' - $ref: '#/components/schemas/Security_Detections_API_RunscriptParams' required: - action_type_id - params Security_Detections_API_EqlOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' event_category_override: $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' tiebreaker_field: $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' timestamp_field: $ref: '#/components/schemas/Security_Detections_API_TimestampField' Security_Detections_API_EqlQueryLanguage: enum: - eql type: string Security_Detections_API_EqlRequiredFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' description: Query language to use query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - eql type: string required: - type - query - language Security_Detections_API_EqlRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' Security_Detections_API_EqlRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' Security_Detections_API_EqlRulePatchFields: allOf: - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' description: Query language to use query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - eql type: string - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' Security_Detections_API_EqlRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' Security_Detections_API_ErrorSchema: additionalProperties: false type: object properties: error: type: object properties: message: type: string status_code: minimum: 400 type: integer required: - status_code - message id: type: string item_id: minLength: 1 type: string list_id: minLength: 1 type: string rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - error Security_Detections_API_EsqlQueryLanguage: enum: - esql type: string Security_Detections_API_EsqlRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' Security_Detections_API_EsqlRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' Security_Detections_API_EsqlRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' Security_Detections_API_EsqlRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' Security_Detections_API_EsqlRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' language: $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: description: Rule type enum: - esql type: string version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' Security_Detections_API_EsqlRuleRequiredFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - esql type: string required: - type - language - query Security_Detections_API_EsqlRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' Security_Detections_API_EsqlRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' Security_Detections_API_EventCategoryOverride: type: string Security_Detections_API_ExceptionListType: description: The exception type enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_trusted_devices - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Detections_API_ExternalRuleCustomizedFields: description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. items: type: object properties: field_name: description: Name of a user-modified field in the rule object. type: string required: - field_name type: array Security_Detections_API_ExternalRuleHasBaseVersion: description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). type: boolean Security_Detections_API_ExternalRuleSource: description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: customized_fields: $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' has_base_version: $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' is_customized: $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external type: string required: - type - is_customized - has_base_version - customized_fields Security_Detections_API_FindRulesSortField: enum: - created_at - createdAt - enabled - execution_summary.last_execution.date - execution_summary.last_execution.metrics.execution_gap_duration_s - execution_summary.last_execution.metrics.total_indexing_duration_ms - execution_summary.last_execution.metrics.total_search_duration_ms - execution_summary.last_execution.status - name - risk_score - riskScore - severity - updated_at - updatedAt type: string Security_Detections_API_GapFillStatus: enum: - unfilled - in_progress - filled - error type: string Security_Detections_API_HistoryWindowStart: description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string Security_Detections_API_IndexPatternArray: description: | Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: enum: - internal type: string required: - type Security_Detections_API_InvestigationFields: description: | Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' minItems: 1 type: array required: - field_names Security_Detections_API_InvestigationGuide: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 type: integer Security_Detections_API_KqlQueryLanguage: enum: - kuery - lucene type: string Security_Detections_API_MachineLearningJobId: description: Machine learning job ID(s) the rule monitors for anomaly scores. oneOf: - type: string - items: type: string minItems: 1 type: array Security_Detections_API_MachineLearningRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' Security_Detections_API_MachineLearningRulePatchFields: allOf: - type: object properties: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string required: - type - machine_learning_job_id - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 description: | Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). > info > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_NewTermsFields: description: Fields to monitor for new values. items: type: string maxItems: 3 minItems: 1 type: array Security_Detections_API_NewTermsRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_NewTermsRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object properties: history_window_start: $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' new_terms_fields: $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - new_terms type: string - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' Security_Detections_API_NewTermsRuleRequiredFields: type: object properties: history_window_start: $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' new_terms_fields: $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - new_terms type: string required: - type - query - new_terms_fields - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_NewTermsRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Detections_API_NormalizedRuleAction: additionalProperties: false type: object properties: alerts_filter: $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' frequency: $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' group: $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' id: $ref: '#/components/schemas/Security_Detections_API_RuleActionId' params: $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' required: - id - params Security_Detections_API_NormalizedRuleError: type: object properties: err_code: $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: items: $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' type: array status_code: type: integer required: - message - status_code - rules Security_Detections_API_OsqueryParams: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' id: description: Query ID type: string platform: type: string query: description: Query to run type: string removed: type: boolean snapshot: type: boolean version: description: Query version type: string required: - id - query Security_Detections_API_OsqueryResponseAction: type: object properties: action_type_id: enum: - .osquery type: string params: $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' required: - action_type_id - params Security_Detections_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Detections_API_ProcessesParams: type: object properties: command: description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object properties: field: description: Field to use instead of process.pid type: string overwrite: default: true description: Whether to overwrite field with process.pid type: boolean required: - field required: - command - config Security_Detections_API_QueryAlertsBodyParams: type: object properties: _source: oneOf: - type: boolean - type: string - items: type: string type: array aggs: additionalProperties: true type: object fields: items: type: string type: array query: additionalProperties: true type: object runtime_mappings: additionalProperties: true type: object size: minimum: 0 type: integer sort: $ref: '#/components/schemas/Security_Detections_API_AlertsSort' track_total_hits: type: boolean Security_Detections_API_QueryRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' Security_Detections_API_QueryRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_QueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' Security_Detections_API_QueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_QueryRulePatchFields: allOf: - type: object properties: type: description: Rule type enum: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' Security_Detections_API_QueryRuleRequiredFields: type: object properties: type: description: Rule type enum: - query type: string required: - type Security_Detections_API_QueryRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' required: - query - language Security_Detections_API_QueryRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_Reason: description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' oneOf: - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - type: string Security_Detections_API_ReasonEnum: enum: - false_positive - duplicate - true_positive - benign_positive - automated_closure - other type: string Security_Detections_API_RelatedIntegration: description: | Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query. NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule. Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - `version`: version of the package (required, semver-compatible) - `integration`: name of the integration of this package (optional, id within the package) There are Fleet packages like `windows` that contain only one integration; in this case, `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs package: azure version: ~1.1.6 type: object properties: integration: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' package: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' version: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - package - version Security_Detections_API_RelatedIntegrationArray: items: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: description: | Describes an Elasticsearch field that is needed for the rule to function. Almost all types of Security rules check source event documents for a match to some kind of query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. Required field is an event field that must be present in the source indices of a given rule. @example const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; @example const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', ecs: false, }; type: object properties: ecs: description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field format: nonempty minLength: 1 type: string type: description: Type of the Elasticsearch field format: nonempty minLength: 1 type: string required: - name - type - ecs Security_Detections_API_RequiredFieldArray: items: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: description: Name of an Elasticsearch field format: nonempty minLength: 1 type: string type: description: Type of the Elasticsearch field format: nonempty minLength: 1 type: string required: - name - type Security_Detections_API_ResponseAction: discriminator: mapping: .endpoint: '#/components/schemas/Security_Detections_API_EndpointResponseAction' .osquery: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' propertyName: action_type_id oneOf: - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' Security_Detections_API_ResponseFields: type: object properties: created_at: format: date-time type: string created_by: type: string execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: $ref: '#/components/schemas/Security_Detections_API_UUID' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' revision: $ref: '#/components/schemas/Security_Detections_API_RuleRevision' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_source: $ref: '#/components/schemas/Security_Detections_API_RuleSource' updated_at: format: date-time type: string updated_by: type: string required: - id - rule_id - immutable - rule_source - updated_at - updated_by - created_at - created_by - revision - related_integrations - required_fields Security_Detections_API_RiskScore: description: | A numerical representation of the alert's severity from 0 to 100, where: * `0` - `21` represents low severity * `22` - `47` represents medium severity * `48` - `73` represents high severity * `74` - `100` represents critical severity maximum: 100 minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: field: description: Source event field used to override the default `risk_score`. type: string operator: enum: - equals type: string risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' value: type: string required: - field - operator - value type: array Security_Detections_API_RuleAction: type: object properties: action_type_id: description: | The action type used for sending notifications, can be: - `.slack` - `.slack_api` - `.email` - `.index` - `.pagerduty` - `.swimlane` - `.webhook` - `.servicenow` - `.servicenow-itom` - `.servicenow-sir` - `.jira` - `.resilient` - `.opsgenie` - `.teams` - `.torq` - `.tines` - `.d3security` type: string alerts_filter: $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' frequency: $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' group: $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' id: $ref: '#/components/schemas/Security_Detections_API_RuleActionId' params: $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' uuid: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - action_type_id - id - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true description: | Object containing an action’s conditional filters. - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' nullable: true required: - summary - notifyWhen - throttle Security_Detections_API_RuleActionGroup: description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. type: string Security_Detections_API_RuleActionNotifyWhen: description: Defines how often rules run actions. enum: - onActiveAlert - onThrottleInterval - onActionGroupChange type: string Security_Detections_API_RuleActionParams: additionalProperties: true description: | Object containing the allowed connector fields, which varies according to the connector type. For Slack: - `message` (string, required): The notification message. For email: - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. - `subject` (string, optional): Email subject line. - `message` (string, required): Email body text. For Webhook: - `body` (string, required): JSON payload. For PagerDuty: - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. - `class` (string, optional): Value indicating the class/type of the event. type: object Security_Detections_API_RuleActionThrottle: description: Defines how often rule actions are taken. oneOf: - enum: - no_actions - rule type: string - description: Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string Security_Detections_API_RuleAuthorArray: description: The rule’s author. items: type: string type: array Security_Detections_API_RuleCreateProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. example: Detects anomalous Windows process creation events. minLength: 1 type: string Security_Detections_API_RuleDetailsInError: type: object properties: id: type: string name: type: string required: - id Security_Detections_API_RuleExceptionList: description: | Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: description: ID of the exception container format: nonempty minLength: 1 type: string list_id: description: List ID of the exception container format: nonempty minLength: 1 type: string namespace_type: description: Determines the exceptions validity in rule's Kibana space enum: - agnostic - single type: string type: $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' required: - id - list_id - type - namespace_type Security_Detections_API_RuleExecutionMetrics: type: object properties: execution_gap_duration_s: description: Duration in seconds of execution gap minimum: 0 type: integer frozen_indices_queried_count: description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. minimum: 0 type: integer gap_range: description: Range of the execution gap type: object properties: gte: description: Start date of the execution gap type: string lte: description: End date of the execution gap type: string required: - gte - lte gap_reason: description: Detected reason for the execution gap type: object properties: type: description: The type of reason for the gap (rule_disabled or rule_did_not_run) enum: - rule_disabled - rule_did_not_run type: string required: - type total_enrichment_duration_ms: description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: description: |- Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. - running - Rule execution started but not reached any intermediate or final status. - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running - partial failure - failed - succeeded type: string Security_Detections_API_RuleExecutionStatusOrder: type: integer Security_Detections_API_RuleExecutionSummary: description: | Summary of the last execution of a rule. > info > This field is under development and its usage or schema may change type: object properties: last_execution: type: object properties: date: description: Date of the last execution format: date-time type: string message: type: string metrics: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status - status_order - message - metrics required: - last_execution Security_Detections_API_RuleFalsePositiveArray: description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: description: | The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: type: string Security_Detections_API_RuleLicense: description: The rule's license. type: string Security_Detections_API_RuleMetadata: additionalProperties: true description: | Placeholder for metadata about the rule. > info > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. example: Anomalous Windows Process Creation minLength: 1 type: string Security_Detections_API_RuleNameOverride: description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: type: object properties: description: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' duration: type: integer request: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' request_type: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' Security_Detections_API_RulePreviewLogs: type: object properties: duration: description: Execution duration in milliseconds type: integer errors: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array requests: items: $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' warnings: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array required: - errors - warnings - duration Security_Detections_API_RulePreviewParams: type: object properties: invocationCount: type: integer timeframeEnd: format: date-time type: string required: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: description: | [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - For indicator match rules, only the query’s results are used to determine whether an alert is generated. - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleResponse: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRule' - $ref: '#/components/schemas/Security_Detections_API_QueryRule' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRule' esql: '#/components/schemas/Security_Detections_API_EsqlRule' machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule' query: '#/components/schemas/Security_Detections_API_QueryRule' saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule' threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule' threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' propertyName: type Security_Detections_API_RuleRevision: description: | The rule's revision number. It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleUpdateProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' propertyName: type Security_Detections_API_RuleVersion: description: | The rule's version number. - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. > info > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_RunScriptOsConfigValues: minProperties: 1 type: object properties: scriptId: description: The ID of the script to run (from the Kibana Script library) type: string scriptInput: description: The arguments to pass to the script (if any) type: string timeout: description: Specify the timeout in seconds for the script execution example: 60 type: integer Security_Detections_API_RunscriptParams: description: Run a script on the Elastic Defend host that triggered the alert. type: object properties: command: enum: - runscript type: string comment: description: Add a note that explains or describes the action. You can find your comment in the response actions history log type: string config: type: object properties: linux: $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' macos: $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' windows: $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' required: - command Security_Detections_API_SavedObjectResolveAliasPurpose: enum: - savedObjectConversion - savedObjectImport type: string Security_Detections_API_SavedObjectResolveAliasTargetId: type: string Security_Detections_API_SavedObjectResolveOutcome: enum: - exactMatch - aliasMatch - conflict type: string Security_Detections_API_SavedQueryId: description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_SavedQueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object properties: saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - saved_query type: string - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - saved_query type: string required: - type - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_SavedQueryRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SetAlertAssigneesBody: type: object properties: assignees: $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' description: Details about the assignees to assign and unassign. ids: $ref: '#/components/schemas/Security_Detections_API_AlertIds' required: - assignees - ids Security_Detections_API_SetAlertsStatusByIds: discriminator: mapping: closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' propertyName: status oneOf: - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' Security_Detections_API_SetAlertsStatusByIdsBase: type: object properties: signal_ids: description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 type: string minItems: 1 type: array status: $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' required: - signal_ids - status Security_Detections_API_SetAlertsStatusByQuery: discriminator: mapping: closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' propertyName: status oneOf: - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' Security_Detections_API_SetAlertsStatusByQueryBase: type: object properties: conflicts: default: abort enum: - abort - proceed type: string query: additionalProperties: true type: object status: $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' required: - query - status Security_Detections_API_SetAlertTags: description: Object with list of tags to add and remove. type: object properties: tags_to_add: $ref: '#/components/schemas/Security_Detections_API_AlertTags' tags_to_remove: $ref: '#/components/schemas/Security_Detections_API_AlertTags' required: - tags_to_add - tags_to_remove Security_Detections_API_SetAlertTagsBody: type: object properties: ids: $ref: '#/components/schemas/Security_Detections_API_AlertIds' tags: $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' required: - ids - tags Security_Detections_API_SetupGuide: description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. type: string Security_Detections_API_Severity: description: | Severity level of alerts produced by the rule, which must be one of the following: * `low`: Alerts that are of interest but generally not considered to be security incidents * `medium`: Alerts that require investigation * `high`: Alerts that require immediate investigation * `critical`: Alerts that indicate it is highly likely a security incident has occurred enum: - low - medium - high - critical type: string Security_Detections_API_SeverityMapping: description: Overrides generated alerts' severity with values from the source event items: type: object properties: field: description: Source event field used to override the default `severity`. type: string operator: enum: - equals type: string severity: $ref: '#/components/schemas/Security_Detections_API_Severity' value: type: string required: - field - operator - severity - value type: array Security_Detections_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Detections_API_SortOrder: enum: - asc - desc type: string Security_Detections_API_Threat: description: | > info > Currently, only threats described using the MITRE ATT&CK™ framework are supported. type: object properties: framework: description: Relevant attack framework type: string tactic: $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' technique: description: Array containing information on the attack techniques (optional) items: $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' type: array required: - framework - tactic Security_Detections_API_ThreatArray: items: $ref: '#/components/schemas/Security_Detections_API_Threat' type: array Security_Detections_API_ThreatFilters: items: description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values type: array Security_Detections_API_ThreatIndex: description: Elasticsearch indices used to check which field values generate alerts. items: type: string type: array Security_Detections_API_ThreatIndicatorPath: description: Defines the path to the threat indicator in the indicator documents (optional) type: string Security_Detections_API_ThreatMapping: description: | Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - field: field from the event indices on which the rule runs - type: must be mapping - value: field from the Elasticsearch threat index You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. items: type: object properties: entries: items: $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' type: array required: - entries minItems: 1 type: array Security_Detections_API_ThreatMappingEntry: type: object properties: field: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' negate: type: boolean type: enum: - mapping type: string value: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - field - type - value Security_Detections_API_ThreatMatchRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThreatMatchRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' concurrent_searches: $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' items_per_search: $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' threat_filters: $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' threat_indicator_path: $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' threat_language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThreatMatchRulePatchFields: allOf: - type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threat_index: $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' threat_mapping: $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' threat_query: $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - threat_match type: string - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threat_index: $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' threat_mapping: $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' threat_query: $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - threat_match type: string required: - type - query - threat_query - threat_mapping - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_ThreatMatchRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object properties: id: description: Subtechnique ID type: string name: description: Subtechnique name type: string reference: description: Subtechnique reference type: string required: - id - name - reference Security_Detections_API_ThreatTactic: description: | Object containing information on the attack type type: object properties: id: description: Tactic ID type: string name: description: Tactic name type: string reference: description: Tactic reference type: string required: - id - name - reference Security_Detections_API_ThreatTechnique: type: object properties: id: description: Technique ID type: string name: description: Technique name type: string reference: description: Technique reference type: string subtechnique: description: | Array containing more specific information on the attack technique. items: $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' type: array required: - id - name - reference Security_Detections_API_Threshold: type: object properties: cardinality: $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' field: $ref: '#/components/schemas/Security_Detections_API_ThresholdField' value: $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' required: - field - value Security_Detections_API_ThresholdAlertSuppression: description: Defines alert suppression configuration. type: object properties: duration: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: description: The field on which the cardinality is applied. items: type: object properties: field: description: The field on which to calculate and compare the cardinality. type: string value: description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: - field - value type: array Security_Detections_API_ThresholdField: description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: type: string maxItems: 5 minItems: 0 type: array Security_Detections_API_ThresholdRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThresholdRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_ThresholdRulePatchFields: allOf: - type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threshold: $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - threshold type: string - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threshold: $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - threshold type: string required: - type - query - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_ThresholdRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: description: | Defines the maximum interval in which a rule’s actions are executed. > info > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h - 1d - 7d type: string Security_Detections_API_TiebreakerField: description: Sets a secondary field for sorting events type: string Security_Detections_API_TimelineTemplateId: description: Timeline template ID type: string Security_Detections_API_TimelineTemplateTitle: description: Timeline template title type: string Security_Detections_API_TimestampField: description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field type: boolean Security_Detections_API_UUID: description: A universally unique identifier format: uuid type: string Security_Detections_API_WarningSchema: type: object properties: actionPath: type: string buttonLabel: type: string message: type: string type: type: string required: - type - message - actionPath Security_Endpoint_Exceptions_API_EndpointList: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' - additionalProperties: false type: object Security_Endpoint_Exceptions_API_EndpointListItem: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' Security_Endpoint_Exceptions_API_ExceptionList: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string version: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id - type - name - description - immutable - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Endpoint_Exceptions_API_ExceptionListDescription: description: Describes the exception list. example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: description: | The exception list's human-readable string identifier. For endpoint artifacts, use one of the following values: * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListId: description: Exception list's identifier. example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItem: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string required: - id - item_id - list_id - type - name - description - entries - namespace_type - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Endpoint_Exceptions_API_ExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - id - comment - created_at - created_by Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: description: | Array of comment fields: - comment (string): Comments about the exception item. items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists type: string required: - type - field - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' list: type: object properties: id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' required: - id - type operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list type: string required: - type - field - list - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match type: string value: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard type: string value: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: type: object properties: entries: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' type: enum: - nested type: string required: - type - field - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: description: Human readable string identifier, e.g. `trusted-linux-processes` example: simple_list_item format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemId: description: Exception's identifier. example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemMeta: additionalProperties: true type: object Security_Endpoint_Exceptions_API_ExceptionListItemName: description: Exception list name. format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string type: array Security_Endpoint_Exceptions_API_ExceptionListItemType: enum: - simple type: string Security_Endpoint_Exceptions_API_ExceptionListMeta: additionalProperties: true description: Placeholder for metadata about the list container. type: object Security_Endpoint_Exceptions_API_ExceptionListName: description: The name of the exception list. example: My exception list type: string Security_Endpoint_Exceptions_API_ExceptionListOsType: description: Use this field to specify the operating system. enum: - linux - macos - windows type: string Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_trusted_devices - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Endpoint_Exceptions_API_ExceptionListVersion: description: The document version, automatically increasd on updates. minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: description: | Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - `single`: Only available in the Kibana space in which it is created. - `agnostic`: Available in all Kibana spaces. For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single type: string Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' Security_Endpoint_Exceptions_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Endpoint_Exceptions_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Endpoint_Exceptions_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Endpoint_Management_API_ActionDetailsResponse: discriminator: mapping: cancel: '#/components/schemas/Security_Endpoint_Management_API_Cancel' execute: '#/components/schemas/Security_Endpoint_Management_API_Execute' get-file: '#/components/schemas/Security_Endpoint_Management_API_GetFile' isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' unisolate: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' upload: '#/components/schemas/Security_Endpoint_Management_API_Upload' propertyName: command oneOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFile' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Execute' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Runscript' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Upload' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Scan' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Cancel' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object properties: data: type: object properties: canEncrypt: description: Whether the Kibana instance has encryption enabled for response actions. type: boolean required: - data Security_Endpoint_Management_API_ActionStatusSuccessResponse: type: object properties: data: description: One pending-actions summary entry per requested agent. items: type: object properties: agent_id: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions type: array required: - data Security_Endpoint_Management_API_AgentId: description: Agent ID type: string Security_Endpoint_Management_API_AgentIds: description: A list of agent IDs. Max of 250. example: - agent-id-1 - agent-id-2 minLength: 1 oneOf: - items: minLength: 1 type: string maxItems: 250 minItems: 1 type: array - minLength: 1 type: string Security_Endpoint_Management_API_AgentTypes: description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint example: endpoint type: string Security_Endpoint_Management_API_ApiPageSize: default: 10 description: Number of items per page example: 10 maximum: 1000 minimum: 1 type: integer Security_Endpoint_Management_API_ApiSortField: description: Determines which field is used to sort the results. enum: - name - createdAt - createdBy - updatedAt - updatedBy - fileSize example: updatedAt type: string Security_Endpoint_Management_API_ArchivePathToExecutableSchema: description: Used only for when the uploaded script is an archive (.zip file for example). This property defines the relative path to the file included in the archive that should be executed once its contents are extracted. The path should be relative to the root of the archive. example: ./bin/script.sh type: string Security_Endpoint_Management_API_Cancel: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: type: object properties: code: type: string type: object parameters: type: object properties: id: format: uuid type: string Security_Endpoint_Management_API_CancelRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: id: description: ID of the response action to cancel example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d minLength: 1 type: string required: - id required: - parameters Security_Endpoint_Management_API_CloudFileScriptParameters: type: object properties: cloudFile: description: Script name in cloud storage. minLength: 1 type: string commandLine: description: Command line arguments. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - cloudFile Security_Endpoint_Management_API_Command: description: The command for the response action enum: - isolate - unisolate - kill-process - suspend-process - running-processes - get-file - execute - upload - scan - runscript - cancel - memory-dump minLength: 1 type: string Security_Endpoint_Management_API_Commands: description: A list of response action command names. example: - isolate - unisolate items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' maxItems: 50 type: array Security_Endpoint_Management_API_Comment: description: Optional comment example: This is a comment type: string Security_Endpoint_Management_API_CreateScriptRouteRequestBody: type: object properties: description: description: Description of the script and its purpose/functionality type: string example: description: Example usage of the script type: string file: description: The script file upload format: binary type: object fileType: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments type: boolean tags: description: Tags to categorize the script items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array required: - name - platform - file - fileType Security_Endpoint_Management_API_DownloadUri: type: object properties: downloadUri: description: | The server relative URI to download the file associated with the output of the response action. URI does **not** include the space prefix example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download format: uri-reference type: string Security_Endpoint_Management_API_EndDate: description: An end date in ISO format or Date Math format. example: '2023-10-31T23:59:59.999Z' type: string Security_Endpoint_Management_API_EndpointIds: description: List of endpoint IDs (cannot contain empty strings). Max of 250. example: - endpoint-id-1 - endpoint-id-2 items: minLength: 1 type: string maxItems: 250 minItems: 1 type: array Security_Endpoint_Management_API_EndpointMetadataResponse: example: host_status: healthy last_checkin: '2023-07-04T15:48:57.360Z' metadata: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: abb8a826-6812-448c-a571-6d8269b51449 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:48:57.3609346Z' dataset: endpoint.metadata id: MNtRc++KoKHXXwlj+++++OhZ ingested: '2023-07-04T15:48:58Z' kind: metric module: endpoint sequence: 43757 type: - info host: architecture: x86_64 hostname: WinDev2104Eval id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 ip: - 10.0.2.15 - fe80::21a6:63d3:d70e:e3ad - 127.0.0.1 - '::1' mac: - 08:00:27:b1:1d:5a name: WinDev2104Eval os: Ext: variant: Windows 10 Enterprise Evaluation family: windows full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) kernel: 20H2 (10.0.19042.906) name: Windows platform: windows type: windows version: 20H2 (10.0.19042.906) message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 type: object properties: {} Security_Endpoint_Management_API_EndpointRunScriptParameters: description: Parameters for Run Script response action against Elastic Defend agent type. example: agent_type: endpoint endpoint_ids: - endpoint-id-1 parameters: scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 scriptInput: '--some-parameter some-value' properties: scriptId: description: The script ID from the scripts library that will be executed. minLength: 1 type: string scriptInput: description: The input parameter arguments (if any) for the script that will be executed. minLength: 1 type: string required: - scriptId title: Elastic Defend Run Script Parameters type: object Security_Endpoint_Management_API_EndpointScript: type: object properties: createdAt: format: date-time type: string createdBy: example: elastic type: string description: description: Description of the script and its purpose/functionality example: Collects host data for investigation type: string downloadUri: description: URI to download the script file. Note that this is the relative path and does not include the space (if applicable) example: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download type: string example: type: string fileHash: description: SHA256 hash of the script file that was uploaded example: abf573681eb54aac5e05e35bf186d4d31abe45ecf242461490523f11d2a8fbb8 type: string fileName: description: Name of the script file that was uploaded example: collect_host_data.sh type: string fileSize: description: Size of the script file that was uploaded in bytes example: 12345 type: integer id: example: 123e4567-e89b-12d3-a456-426655440000 format: uuid type: string instructions: description: Instructions for using the script, including details around its supported input arguments type: string name: example: Collect host data type: string pathToExecutable: description: | The relative path to the file included in the archive that should be executed once its contents are extracted. Applicable only for scripts uploaded as an archive (.zip file for example). type: string platform: items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: type: boolean tags: description: Tags that categorize the script items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array updatedAt: format: date-time type: string updatedBy: example: admin type: string version: type: string Security_Endpoint_Management_API_EndpointScriptFileType: description: The type of the uploaded file, which determines the expected value of `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` should not be included. If `fileType` is "archive", then `pathToExecutable` is required and should specify the path to the executable file within the archive. enum: - script - archive type: string Security_Endpoint_Management_API_EndpointScriptPlatform: enum: - linux - macos - windows type: string Security_Endpoint_Management_API_EndpointScriptTags: enum: - remediationAction - dataCollection - networkDiagnostics - networkAction - systemInventory - forensicCollection - threatHunting - discovery - systemManagement - userManagement - troubleshooting type: string Security_Endpoint_Management_API_Execute: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: type: string cwd: type: string output_file_id: type: string output_file_stderr_truncated: type: boolean output_file_stdout_truncated: type: boolean shell_code: type: number stderr: type: string stderr_truncated: type: boolean stdout: type: string stdout_truncated: type: boolean type: object parameters: type: object properties: command: type: string timeout: type: number Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: command: description: The shell command to execute on the endpoint. minLength: 1 type: string timeout: description: The maximum timeout value in seconds before the command is terminated. minimum: 1 type: integer required: - command required: - parameters Security_Endpoint_Management_API_GetEndpointActionListResponse: example: data: - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: running-processes completedAt: '2022-08-08T09:50:47.672Z' createdBy: elastic id: b3d6de74-36b0-4fa8-be46-c375bf1771bf isCompleted: true isExpired: false startedAt: '2022-08-08T15:24:57.402Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: isolate completedAt: '2022-08-08T10:41:57.352Z' createdBy: elastic id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 isCompleted: true isExpired: false startedAt: '2022-08-08T15:23:37.359Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: kill-process comment: bad process - taking up too much cpu completedAt: '2022-08-08T09:44:50.952Z' createdBy: elastic id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa isCompleted: true isExpired: false startedAt: '2022-08-08T14:38:44.125Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: unisolate comment: Not a threat to the network completedAt: '2022-08-08T09:40:47.398Z' createdBy: elastic id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a isCompleted: true isExpired: false startedAt: '2022-08-08T14:38:15.391Z' wasSuccessful: true elasticAgentIds: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 endDate: now page: 1 pageSize: 10 startDate: now-24h/h total: 4 type: object properties: agentTypes: description: The list of agent types the query was filtered by. items: type: string type: array commands: description: The list of commands the query was filtered by. items: type: string type: array data: description: The list of response actions. items: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' type: array elasticAgentIds: description: The list of elastic agent IDs the query was filtered by. items: type: string type: array endDate: description: The end date filter applied to the query. type: string page: description: The current page number. type: integer pageSize: description: The number of items per page. type: integer startDate: description: The start date filter applied to the query. type: string statuses: description: The list of statuses the query was filtered by. items: type: string type: array total: description: The total number of response actions matching the query. type: integer userIds: description: The list of user IDs the query was filtered by. items: type: string type: array Security_Endpoint_Management_API_GetFile: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: type: string contents: items: type: object properties: file_name: type: string path: type: string sha256: type: string size: type: number type: type: string type: array zip_size: type: number type: object parameters: type: object properties: path: type: string Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: path: description: The full file path to retrieve from the endpoint. type: string required: - path required: - parameters Security_Endpoint_Management_API_GetProcessesRouteRequestBody: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: commandLine: description: Command line arguments. minLength: 1 type: string hostPath: description: Absolute or relative path of script on host machine. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - hostPath Security_Endpoint_Management_API_HostStatuses: description: A set of agent health statuses to filter by. example: - healthy - updating items: enum: - healthy - offline - updating - inactive - unenrolled type: string maxItems: 20 type: array Security_Endpoint_Management_API_Isolate: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an isolate action response. type: object Security_Endpoint_Management_API_IsolateRouteResponse: type: object properties: action: description: The action ID (legacy field, same as `data.id`). type: string data: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_KillProcess: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: oneOf: - type: object properties: code: type: string command: type: string pid: type: number - type: object properties: code: type: string command: type: string entity_id: type: string - type: object properties: code: type: string command: type: string process_name: type: string type: object parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to terminate. minimum: 1 type: number - type: object properties: entity_id: description: The entity ID of the process to terminate. minLength: 1 type: string - type: object properties: process_name: description: The name of the process to terminate. Valid for SentinelOne agent type only. type: string Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to terminate. example: 123 minimum: 1 type: integer - type: object properties: entity_id: description: The entity ID of the process to terminate. example: abc123 minLength: 1 type: string - type: object properties: process_name: description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string required: - parameters Security_Endpoint_Management_API_Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MDERunScriptParameters: description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. example: agent_type: microsoft_defender_endpoint endpoint_ids: - endpoint-id-1 parameters: args: '-param1 value1 -param2 value2' scriptName: my-script.ps1 properties: args: description: Optional command line arguments for the script. minLength: 1 type: string scriptName: description: The name of the script to execute from the cloud storage. minLength: 1 type: string required: - scriptName title: Microsoft Defender Endpoint Run Script Parameters type: object Security_Endpoint_Management_API_MemoryDump: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: properties: code: type: string disk_free_space: description: The free space on the host machine in bytes after the memory dump is written to disk type: number file_size: description: The size of the memory dump compressed file in bytes type: string path: description: The path to the memory dump compressed file on the host machine type: string title: Memory dump output type: object type: object parameters: oneOf: - properties: type: description: Kernel-level memory dump enum: - kernel type: string required: - type title: Kernel memory dump type: object - properties: pid: description: The process ID (PID) type: number type: description: Process-level memory dump using a process ID enum: - process type: string required: - type - pid title: Process memory dump with PID type: object - properties: entity_id: description: The process entity ID type: string type: description: Process-level memory dump using an entity ID enum: - process type: string required: - type - entity_id title: Process memory dump with entity ID type: object required: - parameters Security_Endpoint_Management_API_MemoryDumpRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: oneOf: - description: Dump the entire kernel memory. type: object properties: type: enum: - kernel type: string required: - type - description: Dump the entire memory of a process using the PID. type: object properties: pid: type: number type: enum: - process type: string required: - type - pid - description: Dump the entire memory of a process using the entity ID. type: object properties: entity_id: type: string type: enum: - process type: string required: - type - entity_id required: - parameters Security_Endpoint_Management_API_MetadataListResponse: example: data: - host_status: healthy last_checkin: '2023-07-04T15:47:57.432Z' metadata: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: 285297c6-3bff-4b83-9a07-f3e749801123 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:47:57.432173535Z' dataset: endpoint.metadata id: MNtSXK/SkhEBnmgt++++++7S ingested: '2023-07-04T15:47:58Z' kind: metric module: endpoint sequence: 400 type: - info host: architecture: x86_64 hostname: david-Xubuntu id: 0cfead88e2024bd8a27476352b5ab264 ip: - 127.0.0.1 - '::1' - 10.0.2.15 - fe80::2ac7:8e15:b957:2fa1 mac: - 08:00:27:e6:78:8b name: david-Xubuntu os: Ext: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux version: 20.04.2 message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 0 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 - host_status: healthy last_checkin: '2023-07-04T15:44:31.491Z' metadata: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: abb8a826-6812-448c-a571-6d8269b51449 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:44:31.4917849Z' dataset: endpoint.metadata id: MNtRc++KoKHXXwlj+++++/N9 ingested: '2023-07-04T15:44:33Z' kind: metric module: endpoint sequence: 5159 type: - info host: architecture: x86_64 hostname: WinDev2104Eval id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 ip: - 10.0.2.15 - fe80::21a6:63d3:d70e:e3ad - 127.0.0.1 - '::1' mac: - 08:00:27:b1:1d:5a name: WinDev2104Eval os: Ext: variant: Windows 10 Enterprise Evaluation family: windows full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) kernel: 20H2 (10.0.19042.906) name: Windows platform: windows type: windows version: 20H2 (10.0.19042.906) message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 0 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 page: 0 pageSize: 10 sortDirection: desc sortField: enrolled_at total: 2 type: object properties: {} Security_Endpoint_Management_API_Page: default: 1 description: Page number example: 1 minimum: 1 type: integer Security_Endpoint_Management_API_PageSize: default: 10 description: Number of items per page example: 10 maximum: 100 minimum: 1 type: integer Security_Endpoint_Management_API_Parameters: description: Parameters object type: object Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody: description: The script entry properties to be updated. At least one property must be provided. minProperties: 1 type: object properties: description: description: Description of the script and its purpose/functionality type: string example: description: Example usage of the script type: string file: description: The script file upload format: binary type: object fileType: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments type: boolean tags: description: Tags to categorize the script items: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array Security_Endpoint_Management_API_PendingActionDataType: description: Number of pending actions of this type. type: integer Security_Endpoint_Management_API_PendingActionsSchema: oneOf: - type: object properties: execute: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending execute actions. get-file: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending get-file actions. isolate: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending isolate actions. kill-process: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending kill-process actions. running-processes: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending running-processes (get processes) actions. scan: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending scan actions. suspend-process: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending suspend-process actions. unisolate: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending unisolate (release) actions. upload: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending upload actions. - additionalProperties: true type: object Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: note: description: A note associated with the protection updates for the given package policy. type: string Security_Endpoint_Management_API_RawScriptParameters: type: object properties: commandLine: description: Command line arguments. minLength: 1 type: string raw: description: Raw script content. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - raw Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: __agent__type__here_ command: __command__name__here__ createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-node-1235412 id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: false isExpired: false outputs: {} parameters: {} startedAt: '2022-07-29T19:08:49.126Z' status: pending wasSuccessful: false type: object properties: data: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: agents: description: The agent IDs for the hosts that the response action was sent to items: format: uuid type: string type: array agentState: additionalProperties: format: uuid type: object properties: completedAt: description: The date and time the response action was completed for the agent ID type: string isCompleted: description: Whether the response action is completed for the agent ID type: boolean wasSuccessful: description: Whether the response action was successful for the agent ID type: boolean description: The state of the response action for each agent ID that it was sent to type: object agentType: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' command: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' completedAt: description: The response action completion time format: date-time type: string createdBy: description: The user who created the response action type: string hosts: additionalProperties: format: uuid type: object properties: name: description: The host name type: string description: An object containing the host names associated with the agent IDs the response action was sent to type: object id: description: The response action ID format: uuid type: string isComplete: description: Whether the response action is complete type: boolean isExpired: description: Whether the response action is expired type: boolean outputs: additionalProperties: description: The agent id format: uuid properties: content: description: The response action output content for the agent ID. Exact format depends on the response action command. oneOf: - type: object - type: string type: enum: - json - text type: string required: - type - content title: Agent ID type: object description: | The outputs of the response action for each agent ID that it was sent to. Content different depending on the response action command and will only be present for agents that have responded to the response action type: object parameters: description: The parameters of the response action. Content different depending on the response action command type: object startedAt: description: The response action start time format: date-time type: string status: description: The response action status type: string wasSuccessful: description: Whether the response action was successful type: boolean required: - command Security_Endpoint_Management_API_RunningProcesses: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' type: object Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: description: Processes output for `agentType` of `endpoint` type: object properties: code: type: string entries: items: type: object properties: command: type: string entity_id: type: string pid: type: number user: type: string type: array Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - description: Processes output for `agentType` of `sentinel_one` type: object properties: code: type: string Security_Endpoint_Management_API_Runscript: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: type: string stderr: type: string stdout: type: string type: object parameters: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: cloudFile: type: string commandLine: type: string hostPath: type: string raw: type: string timeout: type: number Security_Endpoint_Management_API_RunscriptParamsMicrosoft: type: object properties: args: type: string scriptName: type: string Security_Endpoint_Management_API_RunscriptParamsSentinelOne: type: object properties: scriptId: type: string scriptInput: type: string Security_Endpoint_Management_API_RunScriptRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: description: | One of the following set of parameters must be provided for the `agentType` that is specified. oneOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' required: - parameters Security_Endpoint_Management_API_Scan: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: type: object properties: code: type: string type: object parameters: type: object properties: path: type: string Security_Endpoint_Management_API_ScanRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: path: description: The folder or file's full path (including the file name). example: /usr/my-file.txt type: string required: - path required: - parameters Security_Endpoint_Management_API_ScriptsApiResponse: example: data: description: Collects host data for investigation downloadUri: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download example: ./collect_host_data.sh --help fileHash: abf573681eb54aac5e05e35bf186d4d31abe45ecf242461490523f11d2a8fbb8 fileName: collect_host_data.sh fileSize: 12345 id: 123e4567-e89b-12d3-a456-426655440000 instructions: Collects host data for investigation name: Collect host data platform: - linux - macos requiresInput: false type: object properties: data: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' Security_Endpoint_Management_API_SentinelOneRunScriptParameters: description: Parameters for Run Script response action against SentinelOne agent type. example: agent_type: sentinel_one endpoint_ids: - endpoint-id-1 parameters: scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: scriptId: description: The script ID from SentinelOne scripts library that will be executed. minLength: 1 type: string scriptInput: description: The input parameter arguments for the script that was selected. minLength: 1 type: string required: - scriptId title: SentinelOne Run Script Parameters type: object Security_Endpoint_Management_API_SortDirection: description: Determines the sort order. enum: - asc - desc example: desc type: string Security_Endpoint_Management_API_SortField: description: Determines which field is used to sort the results. enum: - enrolled_at - metadata.host.hostname - host_status - metadata.Endpoint.policy.applied.name - metadata.Endpoint.policy.applied.status - metadata.host.os.name - metadata.host.ip - metadata.agent.version - last_checkin example: enrolled_at type: string Security_Endpoint_Management_API_StartDate: description: A start date in ISO 8601 format or Date Math format. example: '2023-10-31T00:00:00.000Z' type: string Security_Endpoint_Management_API_SuccessResponse: description: A generic successful response. type: object Security_Endpoint_Management_API_SuspendProcess: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: oneOf: - type: object properties: code: type: string command: type: string pid: type: number - type: object properties: code: type: string command: type: string entity_id: type: string type: object parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to terminate. minimum: 1 type: number - type: object properties: entity_id: description: The entity ID of the process to terminate. minLength: 1 type: string Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to suspend. example: 123 minimum: 1 type: integer - type: object properties: entity_id: description: The entity ID of the process to suspend. example: abc123 minLength: 1 type: string required: - parameters Security_Endpoint_Management_API_Type: description: Type of response action enum: - automated - manual type: string Security_Endpoint_Management_API_Types: description: List of types of response actions example: - automated - manual items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' maxLength: 2 minLength: 1 type: array Security_Endpoint_Management_API_Unisolate: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an unisolate action response. type: object Security_Endpoint_Management_API_UnisolateRouteResponse: type: object properties: action: description: The action ID (legacy field, same as `data.id`). type: string data: $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_Upload: allOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: additionalProperties: type: object properties: content: type: object properties: code: type: string disk_free_space: type: number path: type: string type: object parameters: description: | The parameters for upload returned on the details are derived via the API from the file that was uploaded at the time that the response action was submitted type: object properties: file_id: type: string file_name: type: string file_sha256: type: string file_size: type: number Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array case_ids: description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: file: description: The binary content of the file. example: RWxhc3RpYw== format: binary type: string parameters: type: object properties: overwrite: default: false description: Overwrite the file on the host if it already exists. example: false type: boolean required: - parameters - file Security_Endpoint_Management_API_UserIds: description: A list of user IDs. Max of 50. example: - user-id-1 - user-id-2 oneOf: - items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: description: A list of action IDs that should include the complete output of the action. Max of 50. example: - action-id-1 - action-id-2 oneOf: - items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array - minLength: 1 type: string Security_Entity_Analytics_API_Asset: additionalProperties: false description: Asset metadata associated with the entity. type: object properties: business_unit: description: Business unit the asset belongs to. type: string criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' description: The criticality level assigned to this asset. nullable: true environment: description: Deployment environment (for example, production, staging). type: string id: description: Unique identifier for the asset. type: string model: description: Model name or number. type: string name: description: Human-readable asset name. type: string owner: description: The owner of the asset. type: string serial_number: description: Serial number of the asset. type: string vendor: description: Vendor or manufacturer. type: string Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: type: object properties: index: type: integer message: type: string required: - message - index Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: type: object properties: failed: type: integer successful: type: integer total: type: integer required: - successful - failed - total Security_Entity_Analytics_API_AssetCriticalityLevel: description: The criticality level of the asset. enum: - low_impact - medium_impact - high_impact - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. enum: - low_impact - medium_impact - high_impact - extreme_impact - unassigned type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': description: The time the record was created or updated. example: '2017-07-21T17:32:28Z' format: date-time type: string required: - '@timestamp' example: '@timestamp': '2024-08-02T11:15:34.290Z' asset: criticality: high_impact criticality_level: high_impact host: asset: criticality: high_impact name: my_host id_field: host.name id_value: my_host Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset entity: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality id: type: string required: - id host: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name service: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name user: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name required: - asset Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: type: object properties: id_field: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' description: The field representing the ID. example: host.name id_value: description: The ID value of the asset. type: string required: - id_value - id_field Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: type: object properties: cleanup_successful: example: false type: boolean errors: items: type: object properties: error: type: string seq: type: integer required: - seq - error type: array required: - cleanup_successful - errors Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: type: object properties: errors: items: type: object properties: error: type: string seq: type: integer required: - seq - error type: array risk_engine_saved_object_configured: example: false type: boolean required: - risk_engine_saved_object_configured - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_DateRange: description: Defines the lookback period for filtering source data by timestamp. type: object properties: end: description: End of the lookback period (date math or ISO string, e.g. "now") type: string start: description: Start of the lookback period (date math or ISO string, e.g. "now-10d") type: string required: - start - end Security_Entity_Analytics_API_EngineComponentResource: description: The type of Elasticsearch or Kibana resource backing an engine component. enum: - entity_engine - entity_definition - index - data_stream - component_template - index_template - ingest_pipeline - enrich_policy - task - transform - ilm_policy type: string Security_Entity_Analytics_API_EngineComponentStatus: description: Status of an individual Elasticsearch or Kibana resource backing an engine. type: object properties: errors: description: Errors reported by this component, if any. items: type: object properties: message: description: Detailed error message. type: string title: description: Short error title. type: string type: array health: description: The health status of the component. enum: - green - yellow - red - unavailable - unknown type: string id: description: Unique identifier for the component. type: string installed: description: Whether the component is currently installed. type: boolean metadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' resource: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed - resource Security_Entity_Analytics_API_EngineDataviewUpdateResult: description: The result of applying data view index changes to a single engine. type: object properties: changes: description: The changes applied to the engine. type: object properties: indexPatterns: description: The updated list of index patterns now used by the engine. items: type: string type: array type: description: The entity type of the engine that was updated. type: string required: - type Security_Entity_Analytics_API_EngineDescriptor: description: Describes a single entity engine, including its configuration and current status. type: object properties: delay: default: 1m description: The delay before the transform processes new data, allowing late-arriving documents to be included. example: 1m pattern: '[smdh]$' type: string docsPerSecond: description: Throttle value for the number of documents processed per second. Use -1 for no throttle. type: integer error: description: Present when the engine status is `error`. Describes the failure. type: object properties: action: description: The lifecycle action that caused the error. enum: - init type: string message: description: A human-readable error message. type: string required: - message - action fieldHistoryLength: description: The number of historical values retained per field. example: 10 type: integer filter: description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. example: 'host.name: "my-host"' type: string frequency: default: 1m description: How often the transform runs. example: 1m pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 24h description: How far back the transform looks when calculating aggregations. example: 24h pattern: '[smdh]$' type: string status: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' timeout: default: 180s description: The timeout for initializing the aggregating transform. example: 180s pattern: '[smdh]$' type: string timestampField: description: The field used as the timestamp for source documents. example: '@timestamp' type: string type: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' required: - type - indexPattern - status - fieldHistoryLength Security_Entity_Analytics_API_EngineMetadata: additionalProperties: false description: Internal metadata attached to an entity by the engine that produced it. type: object properties: Type: description: The engine type that produced this entity record. type: string required: - Type Security_Entity_Analytics_API_EngineStatus: description: The current operational status of an entity engine. enum: - installing - started - stopped - updating - error type: string Security_Entity_Analytics_API_EntitiesContainer: description: A collection of entities to upsert in bulk. type: object properties: entities: description: The entities to create or update. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityContainer' type: array required: - entities Security_Entity_Analytics_API_Entity: description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity' Security_Entity_Analytics_API_EntityAnalyticsPrivileges: type: object properties: has_all_required: type: boolean has_read_permissions: type: boolean has_write_permissions: type: boolean privileges: type: object properties: elasticsearch: type: object properties: cluster: additionalProperties: type: boolean type: object index: additionalProperties: additionalProperties: type: boolean type: object type: object kibana: additionalProperties: type: boolean type: object required: - elasticsearch required: - has_all_required - privileges Security_Entity_Analytics_API_EntityContainer: description: A wrapper that pairs an entity type with the entity record to upsert. type: object properties: record: $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' description: The entity record to create or update. type: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' description: The entity type of the record. required: - type - record Security_Entity_Analytics_API_EntityField: additionalProperties: false description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. type: object properties: attributes: additionalProperties: false description: Boolean flags describing characteristics of the entity. type: object properties: asset: description: Whether the entity is classified as an asset. type: boolean managed: description: Whether the entity is managed (for example, via a directory service). type: boolean mfa_enabled: description: Whether multi-factor authentication is enabled for the entity. type: boolean privileged: description: Whether the entity has elevated privileges. type: boolean behaviors: additionalProperties: false description: Boolean flags indicating observed behavioral signals. type: object properties: brute_force_victim: description: Whether the entity has been targeted by brute-force attacks. type: boolean new_country_login: description: Whether the entity has logged in from a new country. type: boolean used_usb_device: description: Whether the entity has used a USB device. type: boolean EngineMetadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' id: description: Unique identifier for this entity. example: arn:aws:iam::123456789012:user/jane.doe type: string lifecycle: additionalProperties: false description: Timestamps tracking the entity lifecycle. type: object properties: first_seen: description: When the entity was first observed. format: date-time type: string last_activity: description: When the entity last generated activity. format: date-time type: string last_seen: description: When the entity was last observed. format: date-time type: string name: description: Human-readable name of the entity. example: jane.doe type: string relationships: additionalProperties: false description: Connections between this entity and other entities. type: object properties: accessed_frequently_by: description: Entity IDs that frequently access this entity. items: type: string type: array accesses_frequently: description: Entity IDs this entity accesses frequently. items: type: string type: array accesses_infrequently: description: Entity IDs this entity accesses infrequently. items: type: string type: array communicates_with: description: Entity IDs this entity communicates with. items: type: string type: array dependent_of: description: Entity IDs that depend on this entity. items: type: string type: array depends_on: description: Entity IDs this entity depends on. items: type: string type: array owned_by: description: Entity IDs that own this entity. items: type: string type: array owns: description: Entity IDs owned by this entity. items: type: string type: array supervised_by: description: Entity IDs that supervise this entity. items: type: string type: array supervises: description: Entity IDs supervised by this entity. items: type: string type: array risk: additionalProperties: false description: Risk scoring information for the entity. type: object properties: calculated_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: description: The raw numeric value of the given entity's risk score. format: double type: number calculated_score_norm: description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 type: number source: description: The source that produced this entity record. type: string sub_type: description: Optional sub-type classification for the entity. type: string type: description: The entity type. example: user type: string required: - id Security_Entity_Analytics_API_EntityRiskLevels: enum: - Unknown - Low - Moderate - High - Critical type: string Security_Entity_Analytics_API_EntityRiskScoreRecord: type: object properties: '@timestamp': description: The time at which the risk score was calculated. example: '2017-07-21T17:32:28Z' format: date-time type: string calculated_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: description: The raw numeric value of the given entity's risk score. format: double type: number calculated_score_norm: description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 type: number calculation_run_id: description: Unique identifier for the scoring run that produced this document. type: string category_1_count: description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). type: integer category_1_score: description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: type: integer category_2_score: format: double type: number criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' criticality_modifier: format: double type: number id_field: description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array modifiers: description: A list of modifiers that were applied to the risk score calculation. items: type: object properties: contribution: format: double type: number metadata: additionalProperties: true type: object modifier_value: format: double type: number subtype: type: string type: type: string required: - type - contribution type: array notes: items: type: string type: array related_entities: items: type: object properties: entity_id: type: string relationship_type: type: string type: array score_type: description: Distinguishes base, propagated, and resolution scores. enum: - base - propagated - resolution type: string required: - '@timestamp' - id_field - id_value - calculated_level - calculated_score - calculated_score_norm - category_1_score - category_1_count - inputs - notes Security_Entity_Analytics_API_EntitySourceType: enum: - index - entity_analytics_integration - store type: string Security_Entity_Analytics_API_EntityType: description: The type of entity. enum: - user - host - service - generic type: string Security_Entity_Analytics_API_Filter: type: object properties: kuery: oneOf: - type: string - type: object Security_Entity_Analytics_API_GenericEntity: additionalProperties: false description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. type: object properties: '@timestamp': description: The time the entity record was last updated. format: date-time type: string asset: $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' additionalProperties: false entity: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' required: - entity Security_Entity_Analytics_API_HostEntity: additionalProperties: false description: An entity record representing a host, stored in the Entity Store latest index. type: object properties: '@timestamp': description: The time the entity record was last updated. format: date-time type: string asset: $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' additionalProperties: false entity: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' event: additionalProperties: false type: object properties: ingested: description: When the event was ingested into Elasticsearch. format: date-time type: string host: additionalProperties: false description: Elastic Common Schema (ECS) host fields collected on the entity. type: object properties: architecture: description: Observed CPU architectures. items: type: string type: array domain: description: Observed host domains. items: type: string type: array entity: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' hostname: description: Observed hostnames. items: type: string type: array id: description: Observed host IDs. items: type: string type: array ip: description: Observed IP addresses. items: type: string type: array mac: description: Observed MAC addresses. items: type: string type: array name: description: Primary host name. type: string os: additionalProperties: false description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. type: object properties: family: type: string full: type: string kernel: type: string name: oneOf: - type: string - items: type: string type: array platform: type: string type: oneOf: - type: string - items: type: string type: array version: type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' type: description: Observed host types. items: type: string type: array required: - name required: - entity Security_Entity_Analytics_API_IdField: enum: - host.name - user.name - service.name - entity.id type: string Security_Entity_Analytics_API_IndexPattern: description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. example: logs-* type: string Security_Entity_Analytics_API_InspectQuery: description: Debug information about the Elasticsearch query executed. type: object properties: dsl: description: Elasticsearch query DSL that was executed. items: type: string type: array response: description: Raw Elasticsearch responses. items: type: string type: array required: - dsl - response Security_Entity_Analytics_API_Integrations: type: object properties: syncData: description: integrations latest full sync and update syncData type: object properties: lastFullSync: description: Timestamp of the last full sync from integrations format: date-time type: string lastUpdateProcessed: description: Timestamp of the last update processed from integrations format: date-time type: string syncMarkerIndex: description: Index to read latest sync markers from type: string Security_Entity_Analytics_API_Interval: description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string Security_Entity_Analytics_API_Matcher: type: object properties: fields: items: type: string type: array values: description: | Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. oneOf: - items: type: string type: array - items: type: boolean type: array required: - fields - values Security_Entity_Analytics_API_Metadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' Security_Entity_Analytics_API_MonitoredUserDoc: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - type: object properties: '@timestamp': format: date-time type: string event: type: object properties: '@timestamp': format: date-time type: string ingested: format: date-time type: string user: type: object properties: entity: type: object properties: attributes: type: object properties: Privileged: description: Indicates if the user is privileged. type: boolean is_privileged: description: Indicates if the user is privileged. type: boolean name: type: string Security_Entity_Analytics_API_MonitoredUserUpdateDoc: type: object properties: entity_analytics_monitoring: type: object properties: labels: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' type: array id: type: string labels: type: object properties: source_ids: items: type: string type: array source_integrations: items: type: string type: array sources: items: enum: - csv - index_sync - api type: array user: type: object properties: is_privileged: description: Indicates if the user is privileged. type: boolean name: type: string Security_Entity_Analytics_API_MonitoringEngineDescriptor: type: object properties: error: type: object properties: message: description: Error message typically only present if the engine is in error state type: string status: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' required: - status Security_Entity_Analytics_API_MonitoringEntitySource: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - type: object properties: id: type: string required: - type - name - id - managed Security_Entity_Analytics_API_MonitoringEntitySourceProperties: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' - type: object properties: managed: type: boolean Security_Entity_Analytics_API_MonitoringLabel: type: object properties: field: type: string source: type: string value: type: string required: - field - value - source Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: description: The status of the Privilege Monitoring Engine enum: - started - error - disabled - not_installed type: string Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: type: object properties: index: nullable: true type: integer message: type: string username: nullable: true type: string required: - message - index - username Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: type: object properties: failedOperations: type: integer successfulOperations: type: integer totalOperations: type: integer uploaded: type: integer required: - successfulOperations - uploaded - failedOperations - totalOperations Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: full_error: type: string message: type: string required: - message - full_error Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: type: object properties: success: type: boolean Security_Entity_Analytics_API_RiskScoreInput: description: A generic representation of a document contributing to a Risk Score. type: object properties: category: description: The risk category of the risk input document. example: category_1 type: string contribution_score: format: double type: number description: description: A human-readable description of the risk input document. example: 'Generated from Detection Engine Rule: Malware Prevention Alert' type: string entity_id: description: The EUID of the entity within the graph that generated this alert. type: string id: description: The unique identifier (`_id`) of the original source document example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c type: string index: description: The unique index (`_index`) of the original source document example: .internal.alerts-security.alerts-default-000001 type: string risk_score: description: The weighted risk score of the risk input document. format: double maximum: 100 minimum: 0 type: number timestamp: description: The @timestamp of the risk input document. example: '2017-07-21T17:32:28Z' type: string required: - id - index - description - category Security_Entity_Analytics_API_ServiceEntity: additionalProperties: false description: An entity record representing a service, stored in the Entity Store latest index. type: object properties: '@timestamp': description: The time the entity record was last updated. format: date-time type: string asset: $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' additionalProperties: false entity: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' event: additionalProperties: false type: object properties: ingested: description: When the event was ingested into Elasticsearch. format: date-time type: string service: additionalProperties: false description: Elastic Common Schema (ECS) service fields collected on the entity. type: object properties: entity: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' name: description: Primary service name. type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - name required: - entity Security_Entity_Analytics_API_StoreStatus: description: The overall operational status of the Entity Store. enum: - not_installed - installing - running - stopped - error type: string Security_Entity_Analytics_API_TaskManagerUnavailableResponse: description: Task manager is unavailable type: object properties: message: type: string status_code: minimum: 400 type: integer required: - status_code - message Security_Entity_Analytics_API_TransformStatsMetadata: description: Statistics from the underlying Elasticsearch transform. type: object properties: delete_time_in_ms: description: Total time spent deleting documents, in milliseconds. type: integer documents_deleted: description: Total number of documents deleted from the destination index. type: integer documents_indexed: description: Total number of documents written to the destination index. type: integer documents_processed: description: Total number of source documents processed. type: integer exponential_avg_checkpoint_duration_ms: description: Exponential moving average of checkpoint duration, in milliseconds. type: integer exponential_avg_documents_indexed: description: Exponential moving average of documents indexed per checkpoint. type: integer exponential_avg_documents_processed: description: Exponential moving average of documents processed per checkpoint. type: integer index_failures: description: Total number of failed index operations. type: integer index_time_in_ms: description: Total time spent indexing documents, in milliseconds. type: integer index_total: description: Total number of index operations. type: integer pages_processed: description: Number of composite aggregation pages processed. type: integer processing_time_in_ms: description: Total time spent processing results, in milliseconds. type: integer processing_total: description: Total number of processing operations. type: integer search_failures: description: Total number of failed search operations. type: integer search_time_in_ms: description: Total time spent on search queries, in milliseconds. type: integer search_total: description: Total number of search operations. type: integer trigger_count: description: Number of times the transform has been triggered. type: integer required: - pages_processed - documents_processed - documents_indexed - trigger_count - index_time_in_ms - index_total - index_failures - search_time_in_ms - search_total - search_failures - processing_time_in_ms - processing_total - exponential_avg_checkpoint_duration_ms - exponential_avg_documents_indexed - exponential_avg_documents_processed Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties: type: object properties: enabled: type: boolean filter: $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' identifierField: description: Field used to query the entity store for index-type sources type: string indexPattern: type: string integrationName: type: string integrations: $ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations' matchers: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' type: array name: type: string queryRule: description: KQL query used to filter data from the provided index patterns type: string range: $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' type: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' Security_Entity_Analytics_API_UserEntity: additionalProperties: false description: An entity record representing a user, stored in the Entity Store latest index. type: object properties: '@timestamp': description: The time the entity record was last updated. format: date-time type: string asset: $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' additionalProperties: false entity: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' event: additionalProperties: false type: object properties: ingested: description: When the event was ingested into Elasticsearch. format: date-time type: string user: additionalProperties: false description: Elastic Common Schema (ECS) user fields collected on the entity. type: object properties: domain: description: Observed user domains. items: type: string type: array email: description: Observed email addresses. items: type: string type: array full_name: description: Observed full names of the user. items: type: string type: array hash: description: Observed user hashes. items: type: string type: array id: description: Observed user IDs. items: type: string type: array name: description: Primary user name. type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' additionalProperties: false roles: description: Observed roles assigned to the user. items: type: string type: array required: - name required: - entity Security_Entity_Analytics_API_UserName: type: object properties: entity_analytics_monitoring: description: Entity analytics monitoring configuration for the user type: object properties: labels: description: Array of labels associated with the user items: type: object properties: field: description: The field name for the label type: string source: description: The source where this label was created (api, csv, or index_sync) enum: - api - csv - index_sync type: string value: description: The value of the label type: string type: array user: type: object properties: name: description: The name of the user. type: string Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem: example: matchedEntities: 1 status: success type: object properties: error: description: Error message if the row failed to process example: Invalid entity type type: string matchedEntities: description: Number of entities matched for this row example: 1 type: integer status: enum: - success - failure - unmatched example: success type: string required: - status - matchedEntities Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem: example: euid: user:john.doe status: success type: object properties: error: description: Error message if the entity failed to process example: Invalid entity type type: string euid: description: The EUID of the entity example: user:john.doe type: string status: enum: - success - failure - not_found example: success type: string required: - euid - status Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem: example: euid: user:john.doe status: success type: object properties: error: description: Error message if the entity failed to process example: Invalid entity type type: string euid: description: The EUID of the entity example: user:john.doe type: string status: enum: - success - failure - not_found example: success type: string required: - euid - status Security_Entity_Analytics_API_WatchlistObject: example: createdAt: '2026-01-28T12:00:00.000Z' description: High risk vendor watchlist id: watchlist-123 managed: false name: High Risk Vendors riskModifier: 1.5 updatedAt: '2026-02-18T12:00:00.000Z' type: object properties: createdAt: description: Timestamp indicating when the watchlist was created format: date-time type: string description: description: Description of the watchlist type: string entityCount: description: Number of entities in the watchlist type: number entitySourceIds: description: List of entity source IDs associated with the watchlist items: type: string type: array id: description: The unique ID of the watchlist type: string managed: description: Indicates if the watchlist is managed by the system type: boolean name: description: The name of the watchlist type: string riskModifier: description: Risk score modifier associated with the watchlist type: number updatedAt: description: Timestamp indicating when the watchlist was last updated format: date-time type: string required: - name - riskModifier - managed Security_Exceptions_API_BlocklistHashOrPathEntry: type: object properties: field: description: File hash or path field enum: - file.hash.md5 - file.hash.sha1 - file.hash.sha256 - file.path - file.path.caseless type: string operator: description: Must be the value "included" enum: - included type: string type: description: Must be match_any for blocklists enum: - match_any type: string value: description: Array of hash values or file paths items: type: string minItems: 1 type: array required: - field - type - value - operator Security_Exceptions_API_BlocklistLinuxProperties: description: Blocklist list item properties (Linux, code signature not supported). type: object properties: entries: description: | **Validation rules:** * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: enum: - endpoint_blocklists example: endpoint_blocklists type: string os_types: description: Linux-only items: enum: - linux type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_BlocklistMacProperties: description: Blocklist list item properties (macOS, code signature not supported). type: object properties: entries: description: | **Validation rules:** * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: enum: - endpoint_blocklists example: endpoint_blocklists type: string os_types: description: macOS-only items: enum: - macos type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry: type: object properties: entries: description: Nested subject_name entries items: type: object properties: field: description: Certificate subject name enum: - subject_name type: string operator: description: Must be the value "included" enum: - included type: string type: description: Match type for subject name enum: - match - match_any type: string value: oneOf: - description: Single subject name (used with match) type: string - description: Array of subject names (used with match_any) items: type: string minItems: 1 type: array required: - field - type - value - operator minItems: 1 type: array field: description: Windows code signature field enum: - file.Ext.code_signature type: string type: description: Must be nested for Windows code signature enum: - nested type: string required: - field - type - entries Security_Exceptions_API_BlocklistWindowsProperties: description: Blocklist list item properties (Windows, supports code signature). type: object properties: entries: description: | **Validation rules:** * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed * Code signature entry: only 1 allowed items: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' minItems: 1 type: array list_id: enum: - endpoint_blocklists example: endpoint_blocklists type: string os_types: description: Windows-only items: enum: - windows type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_CreateExceptionListItemBase: type: object properties: comments: $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - type - name - description Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array Security_Exceptions_API_CreateExceptionListItemEndpointList: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_CreateExceptionListItemEventFilters: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_CreateExceptionListItemGeneric: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - example: description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple type: object properties: entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] required: - list_id - entries Security_Exceptions_API_CreateExceptionListItemHostIsolation: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: format: date-time type: string item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries Security_Exceptions_API_EndpointArtifactTags: default: [] description: | Tags for categorization. Special tags for scope control: * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) items: type: string type: array Security_Exceptions_API_EndpointListProperties: description: Elastic Endpoint exception list item properties. type: object properties: entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' description: | Exception entries for endpoint security exceptions (used to prevent detection rule alerts). **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. list_id: enum: - endpoint_list example: endpoint_list type: string os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_EventFiltersProperties: description: Event filters list item properties. type: object properties: entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' description: | Exception entries for the event filter. **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) **Minimum requirement:** At least 1 entry required list_id: enum: - endpoint_event_filters example: endpoint_event_filters type: string os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_ExceptionList: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - id - list_id - type - name - description - immutable - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Exceptions_API_ExceptionListDescription: description: Describes the exception list. example: This list tracks allowlisted values. type: string Security_Exceptions_API_ExceptionListHumanId: description: | The exception list's human-readable string identifier. For endpoint artifacts, use one of the following values: * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListId: description: Exception list's identifier. example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItem: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string required: - id - item_id - list_id - type - name - description - entries - namespace_type - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Exceptions_API_ExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - id - comment - created_at - created_by Security_Exceptions_API_ExceptionListItemCommentArray: description: | Array of comment fields: - comment (string): Comments about the exception item. items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' type: array Security_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' type: array Security_Exceptions_API_ExceptionListItemEntryExists: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists type: string required: - type - field - operator Security_Exceptions_API_ExceptionListItemEntryList: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' list: type: object properties: id: $ref: '#/components/schemas/Security_Exceptions_API_ListId' type: $ref: '#/components/schemas/Security_Exceptions_API_ListType' required: - id - type operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list type: string required: - type - field - list - operator Security_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match type: string value: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' minItems: 1 type: array required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard type: string value: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryNested: type: object properties: entries: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' type: enum: - nested type: string required: - type - field - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Exceptions_API_ExceptionListItemExpireTime: description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Exceptions_API_ExceptionListItemHumanId: description: Human readable string identifier, e.g. `trusted-linux-processes` example: simple_list_item format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemId: description: Exception's identifier. example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemMeta: additionalProperties: true type: object Security_Exceptions_API_ExceptionListItemName: description: Exception list name. format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemOsTypeArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' type: array Security_Exceptions_API_ExceptionListItemTags: items: description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string type: array Security_Exceptions_API_ExceptionListItemType: enum: - simple type: string Security_Exceptions_API_ExceptionListMeta: additionalProperties: true description: Placeholder for metadata about the list container. type: object Security_Exceptions_API_ExceptionListName: description: The name of the exception list. example: My exception list type: string Security_Exceptions_API_ExceptionListOsType: description: Use this field to specify the operating system. enum: - linux - macos - windows type: string Security_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' type: array Security_Exceptions_API_ExceptionListsImportBulkError: type: object properties: error: type: object properties: message: type: string status_code: type: integer required: - status_code - message id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' type: array Security_Exceptions_API_ExceptionListTags: description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Exceptions_API_ExceptionListType: description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_trusted_devices - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Exceptions_API_ExceptionListVersion: description: The document version, automatically increasd on updates. minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: description: | Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - `single`: Only available in the Kibana space in which it is created. - `agnostic`: Available in all Kibana spaces. For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single type: string Security_Exceptions_API_FindExceptionListItemsFilter: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' Security_Exceptions_API_FindExceptionListsFilter: example: exception-list.attributes.name:%Detection%20List type: string Security_Exceptions_API_HostIsolationProperties: description: Host isolation exceptions list item properties. type: object properties: entries: description: Exactly one entry allowed for host isolation exceptions items: type: object properties: field: description: Must be destination.ip enum: - destination.ip type: string operator: description: Must be the value "included" enum: - included type: string type: description: Must be match enum: - match type: string value: description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") type: string required: - field - type - value - operator maxItems: 1 minItems: 1 type: array list_id: enum: - endpoint_host_isolation_exceptions example: endpoint_host_isolation_exceptions type: string os_types: description: Must include all three operating systems (windows, linux, macos) items: enum: - windows - linux - macos type: string maxItems: 3 minItems: 3 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Exceptions_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Exceptions_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Exceptions_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Exceptions_API_RuleId: $ref: '#/components/schemas/Security_Exceptions_API_UUID' Security_Exceptions_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Exceptions_API_TrustedAppHashEntry: type: object properties: field: description: Process hash field enum: - process.hash.md5 - process.hash.sha1 - process.hash.sha256 type: string operator: enum: - included type: string type: description: Hash entries only support match type enum: - match type: string value: description: Hash value (MD5, SHA1, or SHA256) type: string required: - field - type - value - operator Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: type: object properties: entries: description: Must include exactly 2 entries - one for subject_name and one for trusted items: oneOf: - type: object properties: field: enum: - subject_name type: string operator: enum: - included type: string type: enum: - match type: string value: description: Certificate subject name type: string required: - field - type - value - operator - type: object properties: field: enum: - trusted type: string operator: enum: - included type: string type: enum: - match type: string value: description: Must be the string 'true' enum: - 'true' type: string required: - field - type - value - operator maxItems: 2 minItems: 2 type: array field: description: macOS code signature field enum: - process.code_signature type: string type: enum: - nested type: string required: - field - type - entries Security_Exceptions_API_TrustedAppPathEntry: type: object properties: field: description: Process executable path field enum: - process.executable.caseless type: string operator: enum: - included type: string type: description: Path supports both match and wildcard types enum: - match - wildcard type: string value: description: Executable path type: string required: - field - type - value - operator Security_Exceptions_API_TrustedAppsLinuxProperties: description: Trusted applications list item properties (Linux). type: object properties: entries: description: Process hash or executable path entries (code signature not supported on Linux) items: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' minItems: 1 type: array list_id: enum: - endpoint_trusted_apps example: endpoint_trusted_apps type: string os_types: description: Must be Linux only items: enum: - linux type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_TrustedAppsMacProperties: description: Trusted applications list item properties (macOS). type: object properties: entries: description: Process hash, executable path, or code signature entries items: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' minItems: 1 type: array list_id: enum: - endpoint_trusted_apps example: endpoint_trusted_apps type: string os_types: description: Must be macOS only items: enum: - macos type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_TrustedAppsWindowsProperties: description: Trusted applications list item properties (Windows). type: object properties: entries: description: Process hash, executable path, or code signature entries items: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' minItems: 1 type: array list_id: enum: - endpoint_trusted_apps example: endpoint_trusted_apps type: string os_types: description: Must be Windows only items: enum: - windows type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: type: object properties: entries: description: Must include exactly 2 entries - one for subject_name and one for trusted items: oneOf: - type: object properties: field: enum: - subject_name type: string operator: enum: - included type: string type: enum: - match type: string value: description: Certificate subject name type: string required: - field - type - value - operator - type: object properties: field: enum: - trusted type: string operator: enum: - included type: string type: enum: - match type: string value: description: Must be the string 'true' enum: - 'true' type: string required: - field - type - value - operator maxItems: 2 minItems: 2 type: array field: description: Windows code signature field enum: - process.Ext.code_signature type: string type: enum: - nested type: string required: - field - type - entries Security_Exceptions_API_TrustedDevicesMacProperties: description: Trusted devices list item properties (macOS-only, username not supported). type: object properties: entries: description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: field: description: Device field to match against enum: - device.serial_number - device.type - host.name - device.vendor.name - device.vendor.id - device.product.id - device.product.name type: string operator: description: Must be the value "included" enum: - included type: string type: description: Entry match type enum: - match - wildcard - match_any type: string value: oneOf: - description: Single value (used with match or wildcard) type: string - description: Array of values (used with match_any) items: type: string minItems: 1 type: array required: - field - type - value - operator minItems: 1 type: array list_id: enum: - endpoint_trusted_devices example: endpoint_trusted_devices type: string os_types: description: macOS-only items: enum: - macos type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_TrustedDevicesWindowsMacProperties: description: Trusted devices list item properties (Windows + macOS, username not supported). type: object properties: entries: description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) items: type: object properties: field: description: Device field to match against (username not available for multi-OS) enum: - device.serial_number - device.type - host.name - device.vendor.name - device.vendor.id - device.product.id - device.product.name type: string operator: description: Must be the value "included" enum: - included type: string type: description: Entry match type enum: - match - wildcard - match_any type: string value: oneOf: - description: Single value (used with match or wildcard) type: string - description: Array of values (used with match_any) items: type: string minItems: 1 type: array required: - field - type - value - operator minItems: 1 type: array list_id: enum: - endpoint_trusted_devices example: endpoint_trusted_devices type: string os_types: description: Must include both Windows and macOS (username field not allowed) items: enum: - windows - macos type: string maxItems: 2 minItems: 2 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_TrustedDevicesWindowsProperties: description: Trusted devices list item properties (Windows-only, allows username field). type: object properties: entries: description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: field: description: Device field to match against (user.name is Windows-only) enum: - device.serial_number - device.type - host.name - device.vendor.name - device.vendor.id - device.product.id - device.product.name - user.name type: string operator: description: Must be the value "included" enum: - included type: string type: description: Entry match type enum: - match - wildcard - match_any type: string value: oneOf: - description: Single value (used with match or wildcard) type: string - description: Array of values (used with match_any) items: type: string minItems: 1 type: array required: - field - type - value - operator minItems: 1 type: array list_id: enum: - endpoint_trusted_devices example: endpoint_trusted_devices type: string os_types: description: Must be Windows-only to allow username field items: enum: - windows type: string maxItems: 1 minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id Security_Exceptions_API_UpdateExceptionListItemBase: type: object properties: _version: description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. type: string comments: $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - type - name - description Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' type: array Security_Exceptions_API_UpdateExceptionListItemEndpointList: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_UpdateExceptionListItemEventFilters: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_UpdateExceptionListItemGeneric: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - example: comments: [] description: Updated description entries: - field: host.name operator: included type: match value: rock01 item_id: simple_list_item name: Updated name namespace_type: single tags: [] type: simple type: object properties: entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' required: - entries Security_Exceptions_API_UpdateExceptionListItemHostIsolation: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: allOf: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_UUID: description: A universally unique identifier format: uuid type: string Security_Lists_API_FindListItemsCursor: description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 type: string Security_Lists_API_FindListItemsFilter: example: value:127.0.0.1 type: string Security_Lists_API_FindListsCursor: example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 type: string Security_Lists_API_FindListsFilter: example: value:127.0.0.1 type: string Security_Lists_API_List: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. example: elastic type: string description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' immutable: type: boolean meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. example: elastic type: string version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - type - name - description - immutable - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Lists_API_ListDescription: description: Describes the value list. format: nonempty minLength: 1 type: string Security_Lists_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Lists_API_ListItem: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. example: elastic type: string id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. example: elastic type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - type - list_id - value - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Lists_API_ListItemId: description: Value list item's identifier. example: 54b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Lists_API_ListItemMetadata: additionalProperties: true description: Placeholder for metadata about the value list item. type: object Security_Lists_API_ListItemPrivileges: type: object properties: application: additionalProperties: type: boolean type: object cluster: additionalProperties: type: boolean type: object has_all_requested: type: boolean index: additionalProperties: additionalProperties: type: boolean type: object type: object username: type: string required: - username - has_all_requested - cluster - index - application Security_Lists_API_ListItemValue: description: The value used to evaluate exceptions. format: nonempty minLength: 1 type: string Security_Lists_API_ListMetadata: additionalProperties: true description: Placeholder for metadata about the value list. type: object Security_Lists_API_ListName: description: Value list's name. example: List of bad IPs format: nonempty minLength: 1 type: string Security_Lists_API_ListPrivileges: type: object properties: application: additionalProperties: type: boolean type: object cluster: additionalProperties: type: boolean type: object has_all_requested: type: boolean index: additionalProperties: additionalProperties: type: boolean type: object type: object username: type: string required: - username - has_all_requested - cluster - index - application Security_Lists_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Lists_API_ListVersion: description: The document version number. example: 1 minimum: 1 type: integer Security_Lists_API_ListVersionId: description: | The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. example: WzIsMV0= type: string Security_Lists_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Lists_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Osquery_API_ArrayQueries: description: An array of queries to run. items: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' type: array Security_Osquery_API_ArrayQueriesItem: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_CopyPacksResponse: description: The response for copying a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: false name: my_pack_copy policy_ids: [] queries: - ecs_mapping: - key: client.port value: field: port id: ports interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: [] updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic type: object properties: data: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' items: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' id: type: string interval: type: integer platform: type: string query: type: string removed: type: boolean snapshot: type: boolean timeout: type: integer version: type: string type: array saved_object_id: description: The saved object ID of the copied pack. type: string shards: description: Shard configuration as an array of key-value pairs. items: type: object properties: key: type: string value: type: number type: array updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: description: The pack version number. type: integer required: - saved_object_id - name required: - data Security_Osquery_API_CopySavedQueryResponse: description: The response for copying a saved query. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: my_saved_query_copy interval: '60' platform: linux,darwin query: select * from uptime; removed: false saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c snapshot: true timeout: 120 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic type: object properties: data: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: oneOf: - type: integer - type: string platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string required: - saved_object_id - id required: - data Security_Osquery_API_CreateLiveQueryRequestBody: example: agent_all: true ecs_mapping: host.uptime: field: total_seconds query: select * from uptime; type: object properties: agent_all: description: When `true`, the query runs on all agents. type: boolean agent_ids: description: A list of agent IDs to run the query on. items: type: string type: array agent_platforms: description: A list of agent platforms to run the query on. items: type: string type: array agent_policy_ids: description: A list of agent policy IDs to run the query on. items: type: string type: array alert_ids: description: A list of alert IDs associated with the live query. items: type: string type: array case_ids: description: A list of case IDs associated with the live query. items: type: string type: array ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' event_ids: description: A list of event IDs associated with the live query. items: type: string type: array metadata: description: Custom metadata object associated with the live query. nullable: true type: object pack_id: $ref: '#/components/schemas/Security_Osquery_API_PackId' queries: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' query: $ref: '#/components/schemas/Security_Osquery_API_Query' saved_query_id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' Security_Osquery_API_CreateLiveQueryResponse: description: The response for creating a live query. example: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agent_all: true agent_ids: [] agent_platforms: [] agent_policy_ids: [] agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' input_type: osquery metadata: execution_context: name: osquery url: /app/osquery/live_queries/new queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 ecs_mapping: host.uptime: field: total_seconds id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; timeout: 120 type: INPUT_ACTION user_id: elastic type: object properties: data: type: object properties: '@timestamp': description: The timestamp when the action was created. format: date-time type: string action_id: description: The ID of the action. type: string agent_all: description: Whether the query targets all agents. type: boolean agent_ids: description: The agent IDs targeted by the action. items: type: string type: array agent_platforms: description: The agent platforms targeted. items: type: string type: array agent_policy_ids: description: The agent policy IDs targeted. items: type: string type: array agents: description: The resolved list of agent IDs. items: type: string type: array expiration: description: The expiration date of the action. format: date-time type: string input_type: description: The input type. type: string metadata: description: Custom metadata associated with the action. type: object pack_id: description: The pack ID if the query was run from a pack. type: string queries: description: The queries in this action. items: type: object properties: action_id: type: string agents: items: type: string type: array ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: type: string platform: type: string query: type: string saved_query_id: type: string timeout: type: integer version: type: string type: array type: description: The action type. type: string user_id: description: The user who created the action. type: string required: - action_id required: - data Security_Osquery_API_CreatePacksRequestBody: example: description: My pack enabled: true name: my_pack policy_ids: - my_policy_id - fleet-server-policy queries: my_query: ecs_mapping: client.port: field: port tags: value: - tag1 - tag2 interval: 60 query: SELECT * FROM listening_ports; timeout: 120 shards: fleet-server-policy: 58 my_policy_id: 35 type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' Security_Osquery_API_CreatePacksResponse: description: The response for creating a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: my_pack policy_ids: - my_policy_id queries: ports: ecs_mapping: client.port: field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: 47638692-7c4c-4053-aa3e-7186f28df349: 35 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic version: 1 type: object properties: data: type: object properties: created_at: description: The date and time the pack was created. format: date-time type: string created_by: description: The user who created the pack. nullable: true type: string created_by_profile_uid: description: The profile UID of the user who created the pack. type: string description: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: description: The saved object ID of the pack. type: string shards: description: Shard configuration as an array of key-value pairs. items: type: object properties: key: type: string value: type: number type: array updated_at: description: The date and time the pack was last updated. format: date-time type: string updated_by: description: The user who last updated the pack. nullable: true type: string updated_by_profile_uid: description: The profile UID of the user who last updated the pack. type: string version: description: The pack version number. type: integer required: - saved_object_id - name required: - data Security_Osquery_API_CreateSavedQueryRequestBody: example: description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin query: select * from uptime; timeout: 120 version: 2.8.0 type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_CreateSavedQueryResponse: description: The response for creating a saved query. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin prebuilt: false query: select * from uptime; saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c timeout: 120 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic version: 2.8.0 type: object properties: data: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: description: An interval, in seconds, on which to run the query. May be returned as number or string. oneOf: - type: integer - type: string platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: description: Whether the saved query is prebuilt. type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: description: The saved object ID of the saved query. type: string snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: description: The query timeout in seconds. type: integer updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: description: The saved query version. oneOf: - type: integer - type: string required: - saved_object_id - id required: - data Security_Osquery_API_DefaultSuccessResponse: example: {} type: object properties: {} Security_Osquery_API_ECSMapping: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields example: host.uptime: field: total_seconds type: object Security_Osquery_API_ECSMappingArray: description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). items: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' type: array Security_Osquery_API_ECSMappingArrayItem: description: ECS mapping item in saved-object storage format (key-value pair). type: object properties: key: description: The ECS field name. type: string value: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' Security_Osquery_API_ECSMappingArrayOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' nullable: true Security_Osquery_API_ECSMappingItem: type: object properties: field: description: The ECS field to map to. example: host.uptime type: string value: description: The value to map to the ECS field. example: total_seconds oneOf: - type: string - items: type: string type: array Security_Osquery_API_ECSMappingOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' nullable: true Security_Osquery_API_Enabled: description: Enables the pack. example: true type: boolean Security_Osquery_API_EnabledOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Enabled' nullable: true Security_Osquery_API_FindLiveQueryDetailsResponse: example: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 docs: 0 ecs_mapping: host.uptime: field: total_seconds failed: 1 id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 pending: 0 query: select * from uptime; responded: 1 saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d status: completed successful: 0 status: completed user_id: elastic type: object properties: data: type: object properties: '@timestamp': format: date-time type: string action_id: type: string agents: items: type: string type: array expiration: format: date-time type: string pack_id: type: string pack_name: type: string prebuilt_pack: type: boolean queries: description: The queries with their execution status. items: type: object properties: action_id: type: string agents: items: type: string type: array docs: description: Number of result documents. type: integer ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' failed: description: Number of failed queries. type: integer id: type: string pending: description: Number of pending agents. type: integer query: type: string responded: description: Total responded agents. type: integer saved_query_id: type: string status: description: Status of this individual query. enum: - completed - running type: string successful: description: Number of successful agents. type: integer type: array status: description: Global status of the live query (completed, running). enum: - completed - running type: string tags: items: type: string type: array user_id: type: string user_profile_uid: type: string Security_Osquery_API_FindLiveQueryResponse: example: data: items: - _source: '@timestamp': '2023-10-31T00:00:00Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2023-10-31T00:00:00Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 ecs_mapping: host.uptime: field: total_seconds id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d result_counts: error_agents: 0 responded_agents: 1 successful_agents: 1 total_rows: 42 user_id: elastic total: 1 type: object properties: data: type: object properties: items: description: An array of live query action items. items: type: object properties: _source: type: object properties: '@timestamp': format: date-time type: string action_id: type: string agents: items: type: string type: array expiration: format: date-time type: string pack_id: type: string queries: items: type: object properties: action_id: type: string agents: items: type: string type: array ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: type: string query: type: string saved_query_id: type: string type: array result_counts: description: Result count statistics (present when withResultCounts is true). type: object properties: error_agents: type: integer responded_agents: type: integer successful_agents: type: integer total_rows: type: integer user_id: type: string type: array total: description: The total number of live queries. type: integer Security_Osquery_API_FindPackResponse: description: The details of a single query pack. example: data: created_at: '2022-07-25T19:41:10.263Z' created_by: elastic description: '' enabled: true name: test_pack namespaces: - default policy_ids: [] queries: uptime: ecs_mapping: message: field: days interval: 3600 query: select * from uptime read_only: false saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 shards: {} type: osquery-pack updated_at: '2022-07-25T20:12:01.455Z' updated_by: elastic version: 1 type: object properties: data: description: The pack details. type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' namespaces: description: The namespaces the pack belongs to. items: type: string type: array policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' read_only: description: Whether the pack is read-only (true for prebuilt packs). type: boolean saved_object_id: description: The saved object ID of the pack. type: string shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' type: description: The saved object type. type: string updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: description: The pack version number. type: integer required: - saved_object_id - name required: - data Security_Osquery_API_FindPacksResponse: description: A paginated list of query packs. example: data: - created_at: '2023-10-31T00:00:00Z' created_by: elastic created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 description: My pack description enabled: true name: My Pack policy_ids: [] queries: - ecs_mapping: - key: host.uptime value: field: total_seconds id: uptime interval: 3600 query: select * from uptime; read_only: false saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d updated_at: '2023-10-31T00:00:00Z' updated_by: elastic updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 page: 1 per_page: 10 total: 1 type: object properties: data: description: An array of pack objects. items: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' items: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' id: type: string interval: type: integer platform: type: string query: type: string removed: type: boolean snapshot: type: boolean timeout: type: integer version: type: string type: array read_only: description: Whether the pack is read-only (true for prebuilt packs). type: boolean saved_object_id: description: The saved object ID of the pack. type: string updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: description: The pack version number. type: integer required: - saved_object_id - name type: array page: description: The current page number. type: integer per_page: description: The number of results per page. type: integer total: description: The total number of packs. type: integer required: - page - per_page - total - data Security_Osquery_API_FindSavedQueryDetailResponse: description: The details of a single saved query. example: data: created_at: '2022-07-26T09:28:08.597Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin prebuilt: false query: select * from uptime; saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 updated_at: '2022-07-26T09:28:08.597Z' updated_by: elastic version: 2.8.0 type: object properties: data: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: oneOf: - type: integer - type: string platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: oneOf: - type: integer - type: string required: - saved_object_id - id required: - data Security_Osquery_API_FindSavedQueryResponse: description: A paginated list of saved queries. example: data: - created_at: '2022-07-26T09:28:08.597Z' created_by: elastic created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin prebuilt: false query: select * from uptime; saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d updated_at: '2022-07-26T09:28:08.597Z' updated_by: elastic updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 version: 2.8.0 page: 1 per_page: 100 total: 11 type: object properties: data: description: An array of saved query objects. items: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: oneOf: - type: integer - type: string platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: oneOf: - type: integer - type: string required: - saved_object_id - id type: array page: description: The current page number. type: integer per_page: description: The number of results per page. type: integer total: description: The total number of saved queries. type: integer required: - page - per_page - total - data Security_Osquery_API_GetLiveQueryResultsResponse: description: The response for getting live query results. example: data: edges: - _id: doc1 _source: {} - _id: doc2 _source: {} total: 2 type: object properties: data: type: object properties: edges: description: The result rows from the query execution. items: type: object properties: _id: type: string _source: description: The Elasticsearch document source containing query results. type: object type: array total: description: The total number of result rows. type: integer Security_Osquery_API_GetScheduledActionResultsResponse: example: aggregations: failed: 1 pending: 0 successful: 9 totalResponded: 10 totalRowCount: 42 currentPage: 0 edges: - _id: result-001 fields: agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 rows_count: 5 status: success metadata: executionCount: 3 packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d packName: My Pack queryName: uptime queryText: select * from uptime; scheduleId: pack_my_pack_uptime timestamp: '2024-07-26T09:00:00.000Z' pageSize: 20 total: 10 totalPages: 1 type: object properties: aggregations: $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' currentPage: description: The current page number (zero-based). type: integer edges: description: The paginated list of per-agent action results. items: type: object type: array inspect: description: Debug/inspection data for the search query. type: object metadata: $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' pageSize: description: The number of results per page. type: integer total: description: The total number of action results. type: integer totalPages: description: The total number of pages. type: integer Security_Osquery_API_GetScheduledQueryResultsResponse: description: The response for getting scheduled query results. example: data: edges: - _id: row-001 fields: host.uptime: - '12345' - _id: row-002 fields: host.uptime: - '67890' total: 2 type: object properties: data: description: The query results data wrapper. type: object properties: edges: description: The paginated list of query result rows. items: type: object type: array inspect: description: Debug/inspection data for the search query. type: object total: description: The total number of result rows. type: integer Security_Osquery_API_GetUnifiedHistoryResponse: example: data: - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agentCount: 5 errorCount: 0 id: 3c42c847-eb30-4452-80e0-728584042334 queryName: uptime_query queryText: select * from uptime; source: Live sourceType: live successCount: 5 timestamp: '2024-07-26T09:59:32.220Z' totalRows: 42 userId: elastic - agentCount: 10 errorCount: 1 executionCount: 3 id: pack_my_pack_uptime_3 packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d packName: My Pack plannedTime: '2024-07-26T09:00:00.000Z' queryName: uptime queryText: select * from uptime; scheduleId: pack_my_pack_uptime source: Scheduled sourceType: scheduled successCount: 9 timestamp: '2024-07-26T09:00:00.000Z' totalRows: 100 hasMore: true nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... type: object properties: data: description: The list of unified history rows for the current page. items: $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' type: array hasMore: description: Whether there are more results beyond the current page. type: boolean nextPage: description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. type: string required: - data - hasMore Security_Osquery_API_Interval: description: An interval, in seconds, on which to run the query. example: '60' type: string Security_Osquery_API_IntervalOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Interval' nullable: true Security_Osquery_API_KueryOrUndefined: description: The kuery to filter the results by. example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string Security_Osquery_API_LiveHistoryRow: allOf: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - type: object properties: actionId: description: The Fleet action ID for the live query. type: string agentAll: description: Whether the query targeted all agents. type: boolean agentIds: description: List of targeted agent IDs. items: type: string type: array agentPlatforms: description: List of targeted agent platforms. items: type: string type: array agentPolicyIds: description: List of targeted agent policy IDs. items: type: string type: array ecsMapping: additionalProperties: true description: ECS mapping configuration used for the query. type: object queriesTotal: description: The total number of sub-queries in the live action. type: integer queriesWithResults: description: The number of sub-queries that returned results. type: integer savedQueryId: description: The saved query ID, if the live query was based on a saved query. type: string source: description: Whether this was a manually run live query or triggered by a rule. enum: - Live - Rule type: string sourceType: description: Identifies this as a live query history row. enum: - live type: string timeout: description: The query timeout in seconds. type: integer userId: description: The ID of the user who ran the query. type: string userProfileUid: description: The user profile UID of the user who ran the query. type: string required: - sourceType - source Security_Osquery_API_ObjectQueries: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' description: An object of queries. type: object Security_Osquery_API_ObjectQueriesItem: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_query_id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_PackDescription: description: The pack description. example: Pack description type: string Security_Osquery_API_PackDescriptionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' nullable: true Security_Osquery_API_PackId: description: The ID of the pack. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_PackIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PackId' nullable: true Security_Osquery_API_PackName: description: The pack name. example: my_pack type: string Security_Osquery_API_PageOrUndefined: description: The page number to return. The default is 1. example: 1 nullable: true type: integer Security_Osquery_API_PageSizeOrUndefined: description: The number of results to return per page. The default is 20. example: 20 nullable: true type: integer Security_Osquery_API_Platform: description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. example: linux,darwin type: string Security_Osquery_API_PlatformOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Platform' nullable: true Security_Osquery_API_PolicyIds: description: A list of agents policy IDs. example: - policyId1 - policyId2 items: type: string type: array Security_Osquery_API_PolicyIdsOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' nullable: true Security_Osquery_API_Query: description: The SQL query you want to run. example: select * from uptime; type: string Security_Osquery_API_QueryId: description: The ID of the query. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_QueryOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Query' nullable: true Security_Osquery_API_Removed: description: Indicates whether the query is removed. example: false type: boolean Security_Osquery_API_RemovedOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Removed' nullable: true Security_Osquery_API_SavedQueryDescription: description: The saved query description. example: Saved query description type: string Security_Osquery_API_SavedQueryDescriptionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' nullable: true Security_Osquery_API_SavedQueryId: description: The ID of a saved query. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_SavedQueryIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' nullable: true Security_Osquery_API_ScheduledActionResultsAggregations: type: object properties: failed: description: The number of agents that returned errors. type: integer pending: description: The number of agents with pending responses. type: integer successful: description: The number of agents that completed successfully. type: integer totalResponded: description: The total number of agents that responded. type: integer totalRowCount: description: The total number of result rows across all agents. type: integer Security_Osquery_API_ScheduledExecutionMetadata: description: Execution metadata resolved from the pack saved object. type: object properties: executionCount: description: The execution count for this scheduled query run. type: integer packId: description: The ID of the pack containing the query. type: string packName: description: The name of the pack containing the query. type: string queryName: description: The name of the query within the pack. type: string queryText: description: The SQL query that was executed. type: string scheduleId: description: The schedule ID for the scheduled query. type: string timestamp: description: The timestamp of the most recent response for this execution. type: string Security_Osquery_API_ScheduledHistoryRow: allOf: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - type: object properties: executionCount: description: The execution count for this scheduled query run. type: integer plannedTime: description: The planned execution time for the scheduled query. type: string scheduleId: description: The schedule ID for the scheduled query. type: string source: description: Indicates this is a scheduled query execution. enum: - Scheduled type: string sourceType: description: Identifies this as a scheduled query history row. enum: - scheduled type: string required: - sourceType - source Security_Osquery_API_Shards: additionalProperties: type: number description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. example: policy_id: 50 type: object Security_Osquery_API_Snapshot: description: Indicates whether the query is a snapshot. example: true type: boolean Security_Osquery_API_SnapshotOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' nullable: true Security_Osquery_API_SortOrderOrUndefined: description: Specifies the sort order. enum: - asc - desc example: desc type: string Security_Osquery_API_SortOrUndefined: default: createdAt description: The field that is used to sort the results. example: createdAt nullable: true type: string Security_Osquery_API_UnifiedHistoryRow: discriminator: mapping: live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' propertyName: sourceType oneOf: - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' Security_Osquery_API_UnifiedHistoryRowBase: type: object properties: agentCount: description: The number of agents targeted by the query. type: integer errorCount: description: The number of agent responses with errors. nullable: true type: integer id: description: Unique identifier for the history row. type: string packId: description: The ID of the pack containing the query. type: string packName: description: The name of the pack containing the query. type: string queryName: description: The name of the query, if available. type: string queryText: description: The SQL query that was executed. type: string spaceId: description: The Kibana space ID where the query was executed. type: string successCount: description: The number of successful agent responses. nullable: true type: integer timestamp: description: The timestamp of the query execution. type: string totalRows: description: The total number of result rows returned across all agents. nullable: true type: integer required: - id - timestamp - queryText - agentCount Security_Osquery_API_UpdatePacksRequestBody: example: name: updated_my_pack_name type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' Security_Osquery_API_UpdatePacksResponse: description: The response for updating a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: updated_my_pack_name policy_ids: - my_policy_id queries: ports: ecs_mapping: client.port: field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: 47638692-7c4c-4053-aa3e-7186f28df349: 35 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic version: 1 type: object properties: data: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: description: The saved object ID of the pack. type: string shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: description: The pack version number. type: integer Security_Osquery_API_UpdateSavedQueryRequestBody: example: id: updated_my_saved_query_name type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_UpdateSavedQueryResponse: description: The response for updating a saved query. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description id: updated_my_saved_query_name interval: '60' query: select * from uptime; saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic version: WzQzMTcsMV0= type: object properties: data: type: object properties: created_at: format: date-time type: string created_by: nullable: true type: string created_by_profile_uid: type: string description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: oneOf: - type: integer - type: string platform: $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: format: date-time type: string updated_by: nullable: true type: string updated_by_profile_uid: type: string version: description: The saved query version. type: string required: - saved_object_id - id required: - data Security_Osquery_API_Version: description: Uses the Osquery versions greater than or equal to the specified version string. example: 1.0.0 type: string Security_Osquery_API_VersionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Version' nullable: true Security_Timeline_API_AssociatedFilterType: description: | How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). enum: - all - document_only - saved_object_only - document_and_saved_object - orphan type: string Security_Timeline_API_BareNote: allOf: - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' - type: object properties: eventId: description: | Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc nullable: true type: string note: description: The text of the note example: This is an example text nullable: true type: string timelineId: description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - timelineId Security_Timeline_API_BarePinnedEvent: allOf: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' - type: object properties: eventId: description: The `_id` of the associated event for this pinned event. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string timelineId: description: The `savedObjectId` of the timeline that this pinned event is associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - eventId - timelineId Security_Timeline_API_ColumnHeaderResult: type: object properties: aggregatable: nullable: true type: boolean category: nullable: true type: string columnHeaderType: nullable: true type: string description: nullable: true type: string example: nullable: true type: string id: nullable: true type: string indexes: items: type: string nullable: true type: array name: nullable: true type: string placeholder: nullable: true type: string searchable: nullable: true type: boolean type: nullable: true type: string Security_Timeline_API_DataProviderQueryMatch: type: object properties: enabled: nullable: true type: boolean excluded: nullable: true type: boolean id: nullable: true type: string kqlQuery: nullable: true type: string name: nullable: true type: string queryMatch: $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' nullable: true type: $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' nullable: true Security_Timeline_API_DataProviderResult: type: object properties: and: items: $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' nullable: true type: array enabled: nullable: true type: boolean excluded: nullable: true type: boolean id: nullable: true type: string kqlQuery: nullable: true type: string name: nullable: true type: string queryMatch: $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' nullable: true type: $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' nullable: true Security_Timeline_API_DataProviderType: description: The type of data provider. enum: - default - template type: string Security_Timeline_API_DocumentIds: description: One document ID or an array of IDs (Elasticsearch `_id` of the event). oneOf: - items: type: string type: array - type: string Security_Timeline_API_FavoriteTimelineResponse: type: object properties: favorite: items: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' type: array savedObjectId: type: string templateTimelineId: nullable: true type: string templateTimelineVersion: nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' version: type: string required: - savedObjectId - version Security_Timeline_API_FavoriteTimelineResult: description: Indicates when and who marked a Timeline as a favorite. example: favoriteDate: 1741337636741 userName: elastic type: object properties: favoriteDate: nullable: true type: number fullName: nullable: true type: string userName: nullable: true type: string Security_Timeline_API_FilterTimelineResult: example: meta: alias: Custom filter name disabled: false index: .alerts-security.alerts-default,logs-* key: '@timestamp' negate: false, type: exists value: exists query: '{"exists":{"field":"@timestamp"}}' type: object properties: exists: nullable: true type: string match_all: nullable: true type: string meta: nullable: true type: object properties: alias: nullable: true type: string controlledBy: nullable: true type: string disabled: nullable: true type: boolean field: nullable: true type: string formattedValue: nullable: true type: string index: nullable: true type: string key: nullable: true type: string negate: nullable: true type: boolean params: nullable: true type: string type: nullable: true type: string value: nullable: true type: string missing: nullable: true type: string query: nullable: true type: string range: nullable: true type: string script: nullable: true type: string Security_Timeline_API_GetNotesResult: type: object properties: notes: items: $ref: '#/components/schemas/Security_Timeline_API_Note' type: array totalCount: description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). type: number required: - totalCount - notes Security_Timeline_API_ImportTimelineResult: type: object properties: errors: description: The list of failed Timeline imports items: type: object properties: error: description: The error containing the reason why the timeline could not be imported type: object properties: message: description: The reason why the timeline could not be imported example: Malformed JSON type: string status_code: description: The HTTP status code of the error example: 400 type: number id: description: The ID of the timeline that failed to import example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 type: string type: array success: description: Indicates whether any of the Timelines were successfully imports type: boolean success_count: description: The amount of successfully imported/updated Timelines example: 99 type: number timelines_installed: description: The amount of successfully installed Timelines example: 80 type: number timelines_updated: description: The amount of successfully updated Timelines example: 19 type: number Security_Timeline_API_ImportTimelines: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: eventNotes: items: $ref: '#/components/schemas/Security_Timeline_API_BareNote' nullable: true type: array globalNotes: items: $ref: '#/components/schemas/Security_Timeline_API_BareNote' nullable: true type: array pinnedEventIds: items: type: string nullable: true type: array savedObjectId: nullable: true type: string version: nullable: true type: string required: - savedObjectId - version - pinnedEventIds - eventNotes - globalNotes Security_Timeline_API_Note: allOf: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - type: object properties: noteId: description: The `savedObjectId` of the note example: 709f99c6-89b6-4953-9160-35945c8e174e type: string version: description: The version of the note example: WzQ2LDFd type: string required: - noteId - version Security_Timeline_API_NoteCreatedAndUpdatedMetadata: type: object properties: created: description: The time the note was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the note. example: casetester nullable: true type: string updated: description: The last time the note was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the note example: casetester nullable: true type: string Security_Timeline_API_PersistPinnedEventResponse: oneOf: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - type: object properties: unpinned: description: Indicates whether the event was successfully unpinned type: boolean required: - unpinned Security_Timeline_API_PersistTimelineResponse: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' Security_Timeline_API_PinnedEvent: allOf: - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - type: object properties: pinnedEventId: description: The `savedObjectId` of this pinned event example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 type: string version: description: The version of this pinned event example: WzQ2LDFe type: string required: - pinnedEventId - version Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: type: object properties: created: description: The time the pinned event was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the pinned event. example: casetester nullable: true type: string updated: description: The last time the pinned event was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the pinned event example: casetester nullable: true type: string Security_Timeline_API_QueryMatchResult: type: object properties: displayField: nullable: true type: string displayValue: nullable: true type: string field: nullable: true type: string operator: nullable: true type: string value: oneOf: - nullable: true type: string - items: type: string nullable: true type: array Security_Timeline_API_ResolvedTimeline: type: object properties: alias_purpose: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' alias_target_id: type: string outcome: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' timeline: $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' required: - timeline - outcome Security_Timeline_API_ResponseNote: type: object properties: note: $ref: '#/components/schemas/Security_Timeline_API_Note' required: - note Security_Timeline_API_RowRendererId: description: Identifies the available row renderers enum: - alert - alerts - auditd - auditd_file - library - netflow - plain - registry - suricata - system - system_dns - system_endgame_process - system_file - system_fim - system_security_event - system_socket - threat_match - zeek type: string Security_Timeline_API_SavedObjectIds: description: One Timeline saved object ID or an array of IDs. oneOf: - items: type: string type: array - type: string Security_Timeline_API_SavedObjectResolveAliasPurpose: enum: - savedObjectConversion - savedObjectImport type: string Security_Timeline_API_SavedObjectResolveOutcome: enum: - exactMatch - aliasMatch - conflict type: string Security_Timeline_API_SavedTimeline: type: object properties: columns: description: The Timeline's columns example: - columnHeaderType: not-filtered id: '@timestamp' - columnHeaderType: not-filtered id: event.category items: $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' nullable: true type: array created: description: The time the Timeline was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the Timeline. example: casetester nullable: true type: string dataProviders: description: Object containing query clauses example: - enabled: true excluded: false id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b queryMatch: field: _id, operator: ':' value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, items: $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' nullable: true type: array dataViewId: description: ID of the Timeline's Data View example: security-solution-default nullable: true type: string dateRange: description: The Timeline's search period. example: end: 1587456479201 start: 1587370079200 nullable: true type: object properties: end: oneOf: - nullable: true type: string - nullable: true type: number start: oneOf: - nullable: true type: string - nullable: true type: number description: description: The Timeline's description example: Investigating exposure of CVE XYZ nullable: true type: string eqlOptions: description: EQL query that is used in the correlation tab example: eventCategoryField: event.category query: sequence\n[process where process.name == "sudo"]\n[any where true] size: 100 timestampField: '@timestamp' nullable: true type: object properties: eventCategoryField: nullable: true type: string query: nullable: true type: string size: oneOf: - nullable: true type: string - nullable: true type: number tiebreakerField: nullable: true type: string timestampField: nullable: true type: string eventType: deprecated: true description: Event types displayed in the Timeline example: all nullable: true type: string excludedRowRendererIds: description: A list of row renderers that should not be used when in `Event renderers` mode items: $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' nullable: true type: array favorite: items: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' nullable: true type: array filters: description: A list of filters that should be applied to the query items: $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' nullable: true type: array indexNames: description: A list of index names to use in the query (e.g. when the default data view has been modified) example: - .logs* items: type: string nullable: true type: array kqlMode: description: |- Indicates whether the KQL bar filters the query results or searches for additional results, where: * `filter`: filters query results * `search`: displays additional search results example: search nullable: true type: string kqlQuery: $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' nullable: true savedQueryId: description: The ID of the saved query that might be used in the Query tab example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e nullable: true type: string savedSearchId: description: The ID of the saved search that is used in the ES|QL tab example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string sort: $ref: '#/components/schemas/Security_Timeline_API_Sort' nullable: true status: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: description: Timeline template version number. For Timelines, the value is `null`. example: 12 nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true title: description: The Timeline's title. example: CVE XYZ investigation nullable: true type: string updated: description: The last time the Timeline was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the Timeline example: casetester nullable: true type: string Security_Timeline_API_SavedTimelineWithSavedObjectId: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: savedObjectId: description: The `savedObjectId` of the Timeline or Timeline template example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string version: description: The version of the Timeline or Timeline template example: WzE0LDFd type: string required: - savedObjectId - version Security_Timeline_API_SerializedFilterQueryResult: description: KQL bar query. example: filterQuery: null kuery: expression: '_id : *' kind: kuery serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' type: object properties: filterQuery: nullable: true type: object properties: kuery: nullable: true type: object properties: expression: nullable: true type: string kind: nullable: true type: string serializedQuery: nullable: true type: string Security_Timeline_API_Sort: oneOf: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - items: $ref: '#/components/schemas/Security_Timeline_API_SortObject' type: array Security_Timeline_API_SortFieldTimeline: description: The field to sort the timelines by. enum: - title - description - updated - created type: string Security_Timeline_API_SortObject: description: Object indicating how rows are sorted in the Timeline's grid example: columnId: '@timestamp' sortDirection: desc type: object properties: columnId: nullable: true type: string columnType: nullable: true type: string sortDirection: nullable: true type: string Security_Timeline_API_TimelineResponse: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' - type: object properties: eventIdToNoteIds: description: A list of all the notes that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array noteIds: description: A list of all the ids of notes that are associated to this Timeline. example: - 709f99c6-89b6-4953-9160-35945c8e174e items: type: string nullable: true type: array notes: description: A list of all the notes that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array pinnedEventIds: description: A list of all the ids of pinned events that are associated to this Timeline. example: - 983f99c6-89b6-4953-9160-35945c8a194f items: type: string nullable: true type: array pinnedEventsSaveObject: description: A list of all the pinned events that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true type: array Security_Timeline_API_TimelineSavedToReturnObject: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: eventIdToNoteIds: items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array noteIds: items: type: string nullable: true type: array notes: items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array pinnedEventIds: items: type: string nullable: true type: array pinnedEventsSaveObject: items: $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true type: array savedObjectId: type: string version: type: string required: - savedObjectId - version Security_Timeline_API_TimelineStatus: description: The status of the Timeline. enum: - active - draft - immutable type: string Security_Timeline_API_TimelineType: description: The type of Timeline. enum: - default - template type: string SLOs_400_response: title: Bad request type: object properties: error: example: Bad Request type: string message: example: 'Invalid value ''foo'' supplied to: [...]' type: string statusCode: example: 400 type: number required: - statusCode - error - message SLOs_401_response: title: Unauthorized type: object properties: error: example: Unauthorized type: string message: example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" type: string statusCode: example: 401 type: number required: - statusCode - error - message SLOs_403_response: title: Forbidden type: object properties: error: example: Forbidden type: string message: example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" type: string statusCode: example: 403 type: number required: - statusCode - error - message SLOs_404_response: title: Not found type: object properties: error: example: Not Found type: string message: example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found type: string statusCode: example: 404 type: number required: - statusCode - error - message SLOs_409_response: title: Conflict type: object properties: error: example: Conflict type: string message: example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists type: string statusCode: example: 409 type: number required: - statusCode - error - message SLOs_artifacts: description: Links to related assets for the SLO properties: dashboards: description: Array of dashboard references items: type: object properties: id: description: Dashboard saved-object id type: string required: - id type: array title: Artifacts type: object SLOs_budgeting_method: description: The budgeting method to use when computing the rollup data. enum: - occurrences - timeslices example: occurrences title: Budgeting method type: string SLOs_bulk_delete_request: description: | The bulk delete SLO request takes a list of SLOs Definition id to delete. properties: list: description: An array of SLO Definition id items: description: The SLO Definition id example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string type: array required: - list title: Bulk delete SLO request type: object SLOs_bulk_delete_response: description: | The bulk delete SLO response returns a taskId that can be used to poll for its status properties: taskId: description: The taskId of the bulk delete operation example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string title: Bulk delete SLO response type: object SLOs_bulk_delete_status_response: description: Indicates if the bulk deletion is completed, with the detailed results of the operation. properties: error: description: The error message if the bulk deletion operation failed example: Task not found type: string isDone: description: Indicates if the bulk deletion operation is completed example: true type: boolean results: description: The results of the bulk deletion operation, including the success status and any errors for each SLO items: type: object properties: error: description: The error message if the deletion operation failed for this SLO example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found type: string id: description: The ID of the SLO that was deleted example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string success: description: The result of the deletion operation for this SLO example: true type: boolean type: array title: The status of the bulk deletion type: object SLOs_bulk_purge_rollup_request: description: | The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: list: description: An array of slo ids items: description: The SLO Definition id example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string type: array purgePolicy: description: Policy that dictates which SLI documents to purge based on age oneOf: - type: object properties: age: description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. example: 7d type: string purgeType: description: Specifies whether documents will be purged based on a specific age or on a timestamp enum: - fixed-age type: string - type: object properties: purgeType: description: Specifies whether documents will be purged based on a specific age or on a timestamp enum: - fixed-time type: string timestamp: description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. example: '2024-12-31T00:00:00.000Z' type: string type: object required: - list - purgePolicy title: Bulk Purge Rollup data request type: object SLOs_bulk_purge_rollup_response: description: | The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. properties: taskId: description: The task id of the purge operation example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string title: Bulk Purge Rollup data response type: object SLOs_create_slo_request: description: | The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: artifacts: $ref: '#/components/schemas/SLOs_artifacts' budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' description: description: A description for the SLO. type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars example: my-super-slo-id type: string indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: A name for the SLO. type: string objective: $ref: '#/components/schemas/SLOs_objective' settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' required: - name - description - indicator - timeWindow - budgetingMethod - objective title: Create SLO request type: object SLOs_create_slo_response: title: Create SLO response type: object properties: id: example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string required: - id SLOs_delete_slo_instances_request: description: | The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: list: description: An array of slo id and instance id items: type: object properties: instanceId: description: The SLO instance identifier example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string sloId: description: The SLO unique identifier example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string required: - sloId - instanceId type: array required: - list title: Delete SLO instances request type: object SLOs_error_budget: title: Error budget type: object properties: consumed: description: The error budget consummed, as a percentage of the initial value. example: 0.8 type: number initial: description: The initial error budget, as 1 - objective example: 0.02 type: number isEstimated: description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. example: true type: boolean remaining: description: The error budget remaining, as a percentage of the initial value. example: 0.2 type: number required: - initial - consumed - remaining - isEstimated SLOs_filter: description: Defines properties for a filter properties: meta: $ref: '#/components/schemas/SLOs_filter_meta' query: type: object title: Filter type: object SLOs_filter_meta: description: Defines properties for a filter properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: type: object type: type: string value: type: string title: FilterMeta type: object SLOs_find_slo_definitions_response: description: | A paginated response of SLO definitions matching the query. oneOf: - type: object properties: page: example: 1 type: number perPage: example: 25 type: number results: items: $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array total: example: 34 type: number - type: object properties: page: default: 1 description: for backward compability type: number perPage: description: for backward compability example: 25 type: number results: items: $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array searchAfter: description: the cursor to provide to get the next paged results example: - some-slo-id - other-cursor-id items: type: string type: array size: example: 25 type: number total: example: 34 type: number title: Find SLO definitions response type: object SLOs_find_slo_response: description: | A paginated response of SLOs matching the query. properties: page: example: 1 type: number perPage: example: 25 type: number results: items: $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array searchAfter: type: string size: description: Size provided for cursor based pagination example: 25 type: number total: example: 34 type: number title: Find SLO response type: object SLOs_group_by: description: optional group by field or fields to use to generate an SLO per distinct value example: - - service.name - service.name - - service.name - service.environment oneOf: - type: string - items: type: string type: array title: Group by SLOs_indicator_properties_apm_availability: description: Defines properties for the APM availability indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: environment: description: The APM service environment or "*" example: production type: string filter: description: KQL query used for filtering the data example: 'service.foo : "bar"' type: string index: description: The index used by APM metrics example: metrics-apm*,apm* type: string service: description: The APM service name example: o11y-app type: string transactionName: description: The APM transaction name or "*" example: GET /my/api type: string transactionType: description: The APM transaction type or "*" example: request type: string required: - service - environment - transactionType - transactionName - index type: description: The type of indicator. example: sli.apm.transactionDuration type: string required: - type - params title: APM availability SLOs_indicator_properties_apm_latency: description: Defines properties for the APM latency indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: environment: description: The APM service environment or "*" example: production type: string filter: description: KQL query used for filtering the data example: 'service.foo : "bar"' type: string index: description: The index used by APM metrics example: metrics-apm*,apm* type: string service: description: The APM service name example: o11y-app type: string threshold: description: The latency threshold in milliseconds example: 250 type: number transactionName: description: The APM transaction name or "*" example: GET /my/api type: string transactionType: description: The APM transaction type or "*" example: request type: string required: - service - environment - transactionType - transactionName - index - threshold type: description: The type of indicator. example: sli.apm.transactionDuration type: string required: - type - params title: APM latency SLOs_indicator_properties_custom_kql: description: Defines properties for a custom query indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: $ref: '#/components/schemas/SLOs_kql_with_filters' good: $ref: '#/components/schemas/SLOs_kql_with_filters_good' index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: $ref: '#/components/schemas/SLOs_kql_with_filters_total' required: - index - timestampField - good - total type: description: The type of indicator. example: sli.kql.custom type: string required: - type - params title: Custom Query SLOs_indicator_properties_custom_metric: description: Defines properties for a custom metric indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string good: description: | An object defining the "good" metrics and equation type: object properties: equation: description: The equation to calculate the "good" metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: oneOf: - type: object properties: aggregation: description: The aggregation type of the metric. enum: - sum example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field - type: object properties: aggregation: description: The aggregation type of the metric. enum: - doc_count example: doc_count type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation type: array required: - metrics - equation index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: description: | An object defining the "total" metrics and equation type: object properties: equation: description: The equation to calculate the "total" metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: oneOf: - type: object properties: aggregation: description: The aggregation type of the metric. enum: - sum example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field - type: object properties: aggregation: description: The aggregation type of the metric. enum: - doc_count example: doc_count type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation type: array required: - metrics - equation required: - index - timestampField - good - total type: description: The type of indicator. example: sli.metric.custom type: string required: - type - params title: Custom metric SLOs_indicator_properties_histogram: description: Defines properties for a histogram indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string good: description: | An object defining the "good" events type: object properties: aggregation: description: The type of aggregation to use. enum: - value_count - range example: value_count type: string field: description: The field use to aggregate the good events. example: processor.latency type: string filter: description: The filter for good events. example: 'processor.outcome: "success"' type: string from: description: The starting value of the range. Only required for "range" aggregations. example: 0 type: number to: description: The ending value of the range. Only required for "range" aggregations. example: 100 type: number required: - aggregation - field index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: description: | An object defining the "total" events type: object properties: aggregation: description: The type of aggregation to use. enum: - value_count - range example: value_count type: string field: description: The field use to aggregate the good events. example: processor.latency type: string filter: description: The filter for total events. example: 'processor.outcome : *' type: string from: description: The starting value of the range. Only required for "range" aggregations. example: 0 type: number to: description: The ending value of the range. Only required for "range" aggregations. example: 100 type: number required: - aggregation - field required: - index - timestampField - good - total type: description: The type of indicator. example: sli.histogram.custom type: string required: - type - params title: Histogram indicator SLOs_indicator_properties_timeslice_metric: description: Defines properties for a timeslice metric indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string index: description: The index or index pattern to use example: my-service-* type: string metric: description: | An object defining the metrics, equation, and threshold to determine if it's a good slice or not type: object properties: comparator: description: The comparator to use to compare the equation to the threshold. enum: - GT - GTE - LT - LTE example: GT type: string equation: description: The equation to calculate the metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: anyOf: - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' discriminator: mapping: avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' propertyName: aggregation type: array threshold: description: The threshold used to determine if the metric is a good slice or not. example: 100 type: number required: - metrics - equation - comparator - threshold timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string required: - index - timestampField - metric type: description: The type of indicator. example: sli.metric.timeslice type: string required: - type - params title: Timeslice metric SLOs_kql_with_filters: description: Defines properties for a filter oneOf: - description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL with filters SLOs_kql_with_filters_good: description: The KQL query used to define the good events. oneOf: - description: the KQL query to filter the documents with. example: 'request.latency <= 150 and request.status_code : "2xx"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL query for good events SLOs_kql_with_filters_total: description: The KQL query used to define all events. oneOf: - description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL query for all events SLOs_objective: description: Defines properties for the SLO objective type: object properties: target: description: the target objective between 0 and 1 excluded example: 0.99 exclusiveMaximum: true exclusiveMinimum: true maximum: 100 minimum: 0 type: number timesliceTarget: description: the target objective for each slice when using a timeslices budgeting method example: 0.995 maximum: 100 minimum: 0 type: number timesliceWindow: description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} example: 5m type: string required: - target title: Objective SLOs_settings: description: Defines properties for SLO settings. properties: frequency: default: 1m description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. example: 5m type: string preventInitialBackfill: default: false description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. example: true type: boolean syncDelay: default: 1m description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. example: 5m type: string syncField: description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. example: event.ingested type: string title: Settings type: object SLOs_slo_definition_response: title: SLO definition response type: object properties: artifacts: $ref: '#/components/schemas/SLOs_artifacts' budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' createdAt: description: The creation date example: '2023-01-12T10:03:19.000Z' type: string description: description: The description of the SLO. example: My SLO description type: string enabled: description: Indicate if the SLO is enabled example: true type: boolean groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: The identifier of the SLO. example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string indicator: discriminator: mapping: sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' propertyName: type oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: The name of the SLO. example: My Service SLO type: string objective: $ref: '#/components/schemas/SLOs_objective' revision: description: The SLO revision example: 2 type: number settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' updatedAt: description: The last update date example: '2023-01-12T10:03:19.000Z' type: string version: description: The internal SLO version example: 2 type: number required: - id - name - description - indicator - timeWindow - budgetingMethod - objective - settings - revision - enabled - groupBy - tags - createdAt - updatedAt - version SLOs_slo_with_summary_response: title: SLO response type: object properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' createdAt: description: The creation date example: '2023-01-12T10:03:19.000Z' type: string description: description: The description of the SLO. example: My SLO description type: string enabled: description: Indicate if the SLO is enabled example: true type: boolean groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: The identifier of the SLO. example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string indicator: discriminator: mapping: sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' propertyName: type oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' instanceId: description: the value derived from the groupBy field, if present, otherwise '*' example: host-abcde type: string name: description: The name of the SLO. example: My Service SLO type: string objective: $ref: '#/components/schemas/SLOs_objective' revision: description: The SLO revision example: 2 type: number settings: $ref: '#/components/schemas/SLOs_settings' summary: $ref: '#/components/schemas/SLOs_summary' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' updatedAt: description: The last update date example: '2023-01-12T10:03:19.000Z' type: string version: description: The internal SLO version example: 2 type: number required: - id - name - description - indicator - timeWindow - budgetingMethod - objective - settings - revision - summary - enabled - groupBy - instanceId - tags - createdAt - updatedAt - version SLOs_summary: description: The SLO computed data properties: errorBudget: $ref: '#/components/schemas/SLOs_error_budget' sliValue: example: 0.9836 type: number status: $ref: '#/components/schemas/SLOs_summary_status' required: - status - sliValue - errorBudget title: Summary type: object SLOs_summary_status: enum: - NO_DATA - HEALTHY - DEGRADING - VIOLATED example: HEALTHY title: summary status type: string SLOs_time_window: description: Defines properties for the SLO time window type: object properties: duration: description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' example: 30d type: string type: description: Indicates weither the time window is a rolling or a calendar aligned time window. enum: - rolling - calendarAligned example: rolling type: string required: - duration - type title: Time window SLOs_timeslice_metric_basic_metric_with_field: type: object properties: aggregation: description: The aggregation type of the metric. enum: - sum - avg - min - max - std_deviation - last_value - cardinality example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field title: Timeslice Metric Basic Metric with Field SLOs_timeslice_metric_doc_count_metric: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "doc_count" enum: - doc_count example: doc_count type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation title: Timeslice Metric Doc Count Metric SLOs_timeslice_metric_percentile_metric: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "percentile" enum: - percentile example: percentile type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string percentile: description: The percentile value. example: 95 type: number required: - name - aggregation - field - percentile title: Timeslice Metric Percentile Metric SLOs_update_slo_request: description: | The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. properties: artifacts: $ref: '#/components/schemas/SLOs_artifacts' budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' description: description: A description for the SLO. type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: A name for the SLO. type: string objective: $ref: '#/components/schemas/SLOs_objective' settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' title: Update SLO request type: object Task_manager_health_Serverless_APIs_configuration: description: | This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. type: object Task_manager_health_Serverless_APIs_health_response_serverless: title: Task health response properties type: object properties: id: type: string last_update: type: string stats: type: object properties: configuration: $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_configuration' workload: $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_workload' status: type: string timestamp: type: string Task_manager_health_Serverless_APIs_workload: description: | This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. type: object bedrock_config: title: Connector request properties for an Amazon Bedrock connector description: Defines properties for connectors when type is `.bedrock`. type: object required: - apiUrl properties: apiUrl: type: string description: The Amazon Bedrock request URL. region: type: string description: | Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). defaultModel: type: string description: | The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 crowdstrike_config: title: Connector request config properties for a Crowdstrike connector required: - url description: Defines config properties for connectors when type is `.crowdstrike`. type: object properties: url: description: | The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string d3security_config: title: Connector request properties for a D3 Security connector description: Defines properties for connectors when type is `.d3security`. type: object required: - url properties: url: type: string description: | The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. email_config: title: Connector request properties for an email connector description: Defines properties for connectors when type is `.email`. required: - from type: object properties: clientId: description: | The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string nullable: true from: description: | The from address for all emails sent by the connector. It must be specified in `user@host-name` format. type: string hasAuth: description: | Specifies whether a user and password are required inside the secrets configuration. default: true type: boolean host: description: | The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: string oauthTokenUrl: type: string nullable: true port: description: | The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: integer secure: description: | Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. type: boolean service: description: | The name of the email service. type: string enum: - elastic_cloud - exchange_server - gmail - other - outlook365 - ses tenantId: description: | The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string nullable: true gemini_config: title: Connector request properties for an Google Gemini connector description: Defines properties for connectors when type is `.gemini`. type: object required: - apiUrl - gcpRegion - gcpProjectID properties: apiUrl: type: string description: The Google Gemini request URL. defaultModel: type: string description: The generative artificial intelligence model for Google Gemini to use. default: gemini-2.5-pro gcpRegion: type: string description: The GCP region where the Vertex AI endpoint enabled. gcpProjectID: type: string description: The Google ProjectID that has Vertex AI endpoint enabled. resilient_config: title: Connector request properties for a IBM Resilient connector required: - apiUrl - orgId description: Defines properties for connectors when type is `.resilient`. type: object properties: apiUrl: description: The IBM Resilient instance URL. type: string orgId: description: The IBM Resilient organization ID. type: string index_config: title: Connector request properties for an index connector required: - index description: Defines properties for connectors when type is `.index`. type: object properties: executionTimeField: description: A field that indicates when the document was indexed. default: null type: string nullable: true index: description: The Elasticsearch index to be written to. type: string refresh: description: | The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. default: false type: boolean jira_config: title: Connector request properties for a Jira connector required: - apiUrl - projectKey description: Defines properties for connectors when type is `.jira`. type: object properties: apiUrl: description: The Jira instance URL. type: string projectKey: description: The Jira project key. type: string defender_config: title: Connector request properties for a Microsoft Defender for Endpoint connector required: - apiUrl - projectKey description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. type: object properties: apiUrl: type: string description: | The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. clientId: type: string description: The application (client) identifier for your app in the Azure portal. oAuthScope: type: string description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. oAuthServerUrl: type: string description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. tenantId: description: The tenant identifier for your app in the Azure portal. type: string genai_azure_config: title: Connector request properties for an OpenAI connector that uses Azure OpenAI description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. type: object required: - apiProvider - apiUrl properties: apiProvider: type: string description: The OpenAI API provider. enum: - Azure OpenAI apiUrl: type: string description: The OpenAI API endpoint. genai_openai_config: title: Connector request properties for an OpenAI connector description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. type: object required: - apiProvider - apiUrl properties: apiProvider: type: string description: The OpenAI API provider. enum: - OpenAI apiUrl: type: string description: The OpenAI API endpoint. defaultModel: type: string description: The default model to use for requests. opsgenie_config: title: Connector request properties for an Opsgenie connector required: - apiUrl description: Defines properties for connectors when type is `.opsgenie`. type: object properties: apiUrl: description: | The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string pagerduty_config: title: Connector request properties for a PagerDuty connector description: Defines properties for connectors when type is `.pagerduty`. type: object properties: apiUrl: description: The PagerDuty event URL. type: string nullable: true example: https://events.pagerduty.com/v2/enqueue sentinelone_config: title: Connector request properties for a SentinelOne connector required: - url description: Defines properties for connectors when type is `.sentinelone`. type: object properties: url: description: | The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string servicenow_config: title: Connector request properties for a ServiceNow ITSM connector required: - apiUrl description: Defines properties for connectors when type is `.servicenow`. type: object properties: apiUrl: type: string description: The ServiceNow instance URL. clientId: description: | The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. type: string isOAuth: description: | The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). default: false type: boolean jwtKeyId: description: | The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string userIdentifierValue: description: | The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string usesTableApi: description: | Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. default: true type: boolean servicenow_itom_config: title: Connector request properties for a ServiceNow ITOM connector required: - apiUrl description: Defines properties for connectors when type is `.servicenow-itom`. type: object properties: apiUrl: type: string description: The ServiceNow instance URL. clientId: description: | The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. type: string isOAuth: description: | The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). default: false type: boolean jwtKeyId: description: | The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string userIdentifierValue: description: | The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string slack_api_config: title: Connector request properties for a Slack connector description: Defines properties for connectors when type is `.slack_api`. type: object properties: allowedChannels: type: array description: A list of valid Slack channels. items: type: object required: - id - name maxItems: 25 properties: id: type: string description: The Slack channel ID. example: C123ABC456 minLength: 1 name: type: string description: The Slack channel name. minLength: 1 swimlane_config: title: Connector request properties for a Swimlane connector required: - apiUrl - appId - connectorType description: Defines properties for connectors when type is `.swimlane`. type: object properties: apiUrl: description: The Swimlane instance URL. type: string appId: description: The Swimlane application ID. type: string connectorType: description: The type of connector. Valid values are `all`, `alerts`, and `cases`. type: string enum: - all - alerts - cases mappings: title: Connector mappings properties for a Swimlane connector description: The field mapping. type: object properties: alertIdConfig: title: Alert identifier mapping description: Mapping for the alert ID. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. caseIdConfig: title: Case identifier mapping description: Mapping for the case ID. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. caseNameConfig: title: Case name mapping description: Mapping for the case name. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. commentsConfig: title: Case comment mapping description: Mapping for the case comments. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. descriptionConfig: title: Case description mapping description: Mapping for the case description. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. ruleNameConfig: title: Rule name mapping description: Mapping for the name of the alert's rule. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. severityConfig: title: Severity mapping description: Mapping for the severity. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. thehive_config: title: Connector request properties for a TheHive connector description: Defines configuration properties for connectors when type is `.thehive`. type: object required: - url properties: organisation: type: string description: | The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. url: type: string description: | The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. tines_config: title: Connector request properties for a Tines connector description: Defines properties for connectors when type is `.tines`. type: object required: - url properties: url: description: | The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. type: string torq_config: title: Connector request properties for a Torq connector description: Defines properties for connectors when type is `.torq`. type: object required: - webhookIntegrationUrl properties: webhookIntegrationUrl: description: The endpoint URL of the Elastic Security integration in Torq. type: string auth_type: title: Authentication type type: string nullable: true enum: - webhook-authentication-basic - webhook-authentication-ssl description: | The type of authentication to use: basic, SSL, or none. ca: title: Certificate authority type: string description: | A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. cert_type: title: Certificate type type: string description: | If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. enum: - ssl-crt-key - ssl-pfx has_auth: title: Has authentication type: boolean description: If true, a username and password for login type authentication must be provided. default: true verification_mode: title: Verification mode type: string enum: - certificate - full - none default: full description: | Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. webhook_config: title: Connector request properties for a Webhook connector description: Defines properties for connectors when type is `.webhook`. type: object properties: authType: $ref: '#/components/schemas/auth_type' ca: $ref: '#/components/schemas/ca' certType: $ref: '#/components/schemas/cert_type' hasAuth: $ref: '#/components/schemas/has_auth' headers: type: object nullable: true description: A set of key-value pairs sent as headers with the request. method: type: string default: post enum: - post - put description: | The HTTP request method, either `post` or `put`. url: type: string description: | The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. verificationMode: $ref: '#/components/schemas/verification_mode' cases_webhook_config: title: Connector request properties for Webhook - Case Management connector required: - createIncidentJson - createIncidentResponseKey - createIncidentUrl - getIncidentResponseExternalTitleKey - getIncidentUrl - updateIncidentJson - updateIncidentUrl - viewIncidentUrl description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: authType: $ref: '#/components/schemas/auth_type' ca: $ref: '#/components/schemas/ca' certType: $ref: '#/components/schemas/cert_type' createCommentJson: type: string description: | A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. example: '{"body": {{{case.comment}}}}' createCommentMethod: type: string description: | The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. default: put enum: - patch - post - put createCommentUrl: type: string description: | The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. example: https://example.com/issue/{{{external.system.id}}}/comment createIncidentJson: type: string description: | A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' createIncidentMethod: type: string description: | The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. enum: - patch - post - put default: post createIncidentResponseKey: type: string description: The JSON key in the create external case response that contains the case ID. createIncidentUrl: type: string description: | The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. getIncidentResponseExternalTitleKey: type: string description: The JSON key in get external case response that contains the case title. getIncidentUrl: type: string description: | The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. example: https://example.com/issue/{{{external.system.id}}} hasAuth: $ref: '#/components/schemas/has_auth' headers: type: string description: | A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. updateIncidentJson: type: string description: | The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' updateIncidentMethod: type: string description: | The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. default: put enum: - patch - post - put updateIncidentUrl: type: string description: | The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. example: https://example.com/issue/{{{external.system.ID}}} verificationMode: $ref: '#/components/schemas/verification_mode' viewIncidentUrl: type: string description: | The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} xmatters_config: title: Connector request properties for an xMatters connector description: Defines properties for connectors when type is `.xmatters`. type: object properties: configUrl: description: | The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. type: string nullable: true usesBasic: description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). type: boolean default: true bedrock_secrets: title: Connector secrets properties for an Amazon Bedrock connector description: Defines secrets for connectors when type is `.bedrock`. type: object required: - accessKey - secret properties: accessKey: type: string description: The AWS access key for authentication. secret: type: string description: The AWS secret for authentication. crowdstrike_secrets: title: Connector secrets properties for a Crowdstrike connector description: Defines secrets for connectors when type is `.crowdstrike`. type: object required: - clientId - clientSecret properties: clientId: description: The CrowdStrike API client identifier. type: string clientSecret: description: The CrowdStrike API client secret to authenticate the `clientId`. type: string d3security_secrets: title: Connector secrets properties for a D3 Security connector description: Defines secrets for connectors when type is `.d3security`. required: - token type: object properties: token: type: string description: The D3 Security token. email_secrets: title: Connector secrets properties for an email connector description: Defines secrets for connectors when type is `.email`. type: object properties: clientSecret: type: string description: | The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. password: type: string description: | The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. gemini_secrets: title: Connector secrets properties for a Google Gemini connector description: Defines secrets for connectors when type is `.gemini`. type: object required: - credentialsJson properties: credentialsJson: type: string description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. resilient_secrets: title: Connector secrets properties for IBM Resilient connector required: - apiKeyId - apiKeySecret description: Defines secrets for connectors when type is `.resilient`. type: object properties: apiKeyId: type: string description: The authentication key ID for HTTP Basic authentication. apiKeySecret: type: string description: The authentication key secret for HTTP Basic authentication. jira_secrets: title: Connector secrets properties for a Jira connector required: - apiToken - email description: Defines secrets for connectors when type is `.jira`. type: object properties: apiToken: description: The Jira API authentication token for HTTP basic authentication. type: string email: description: The account email for HTTP Basic authentication. type: string teams_secrets: title: Connector secrets properties for a Microsoft Teams connector description: Defines secrets for connectors when type is `.teams`. type: object required: - webhookUrl properties: webhookUrl: type: string description: | The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. genai_secrets: title: Connector secrets properties for an OpenAI connector description: | Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. type: object properties: apiKey: type: string description: | The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. certificateData: type: string description: | Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. minLength: 1 privateKeyData: type: string description: | Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. minLength: 1 caData: type: string description: | Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. minLength: 1 opsgenie_secrets: title: Connector secrets properties for an Opsgenie connector required: - apiKey description: Defines secrets for connectors when type is `.opsgenie`. type: object properties: apiKey: description: The Opsgenie API authentication key for HTTP Basic authentication. type: string pagerduty_secrets: title: Connector secrets properties for a PagerDuty connector description: Defines secrets for connectors when type is `.pagerduty`. type: object required: - routingKey properties: routingKey: description: | A 32 character PagerDuty Integration Key for an integration on a service. type: string sentinelone_secrets: title: Connector secrets properties for a SentinelOne connector description: Defines secrets for connectors when type is `.sentinelone`. type: object required: - token properties: token: description: The A SentinelOne API token. type: string servicenow_secrets: title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. type: object properties: clientSecret: type: string description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. password: type: string description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. privateKey: type: string description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. privateKeyPassword: type: string description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. username: type: string description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. slack_api_secrets: title: Connector secrets properties for a Web API Slack connector description: Defines secrets for connectors when type is `.slack`. required: - token type: object properties: token: type: string description: Slack bot user OAuth token. swimlane_secrets: title: Connector secrets properties for a Swimlane connector description: Defines secrets for connectors when type is `.swimlane`. type: object properties: apiToken: description: Swimlane API authentication token. type: string thehive_secrets: title: Connector secrets properties for a TheHive connector description: Defines secrets for connectors when type is `.thehive`. required: - apiKey type: object properties: apiKey: type: string description: The API key for authentication in TheHive. tines_secrets: title: Connector secrets properties for a Tines connector description: Defines secrets for connectors when type is `.tines`. type: object required: - email - token properties: email: description: The email used to sign in to Tines. type: string token: description: The Tines API token. type: string torq_secrets: title: Connector secrets properties for a Torq connector description: Defines secrets for connectors when type is `.torq`. type: object required: - token properties: token: description: The secret of the webhook authentication header. type: string crt: title: Certificate type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. key: title: Certificate key type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. pfx: title: Personal information exchange type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. webhook_secrets: title: Connector secrets properties for a Webhook connector description: Defines secrets for connectors when type is `.webhook`. type: object properties: crt: $ref: '#/components/schemas/crt' key: $ref: '#/components/schemas/key' pfx: $ref: '#/components/schemas/pfx' password: type: string description: | The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. cases_webhook_secrets: title: Connector secrets properties for Webhook - Case Management connector type: object properties: crt: $ref: '#/components/schemas/crt' key: $ref: '#/components/schemas/key' pfx: $ref: '#/components/schemas/pfx' password: type: string description: | The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. xmatters_secrets: title: Connector secrets properties for an xMatters connector description: Defines secrets for connectors when type is `.xmatters`. type: object properties: password: description: | A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string secretsUrl: description: | The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. type: string user: description: | A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string genai_openai_other_config: title: Connector request properties for an OpenAI connector with Other provider description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. type: object required: - apiProvider - apiUrl - defaultModel properties: apiProvider: type: string description: The OpenAI API provider. enum: - Other apiUrl: type: string description: The OpenAI-compatible API endpoint. defaultModel: type: string description: The default model to use for requests. certificateData: type: string description: PEM-encoded certificate content. minLength: 1 privateKeyData: type: string description: PEM-encoded private key content. minLength: 1 caData: type: string description: PEM-encoded CA certificate content. minLength: 1 verificationMode: type: string description: SSL verification mode for PKI authentication. enum: - full - certificate - none default: full headers: type: object description: Custom headers to include in requests. additionalProperties: type: string defender_secrets: title: Connector secrets properties for a Microsoft Defender for Endpoint connector required: - clientSecret description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. type: object properties: clientSecret: description: The client secret for your app in the Azure portal. type: string run_acknowledge_resolve_pagerduty: title: PagerDuty connector parameters description: Test an action that acknowledges or resolves a PagerDuty alert. type: object required: - dedupKey - eventAction properties: dedupKey: description: The deduplication key for the PagerDuty alert. type: string maxLength: 255 eventAction: description: The type of event. type: string enum: - acknowledge - resolve run_documents: title: Index connector parameters description: Test an action that indexes a document into Elasticsearch. type: object required: - documents properties: documents: type: array description: The documents in JSON format for index connectors. items: type: object additionalProperties: true run_message_email: title: Email connector parameters description: | Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. type: object required: - message - subject properties: bcc: type: array items: type: string description: | A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format cc: type: array items: type: string description: | A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format message: type: string description: The email message text. Markdown format is supported. subject: type: string description: The subject line of the email. to: type: array description: | A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. items: type: string run_message_serverlog: title: Server log connector parameters description: Test an action that writes an entry to the Kibana server log. type: object required: - message properties: level: type: string description: The log level of the message for server log connectors. enum: - debug - error - fatal - info - trace - warn default: info message: type: string description: The message for server log connectors. run_message_slack: title: Slack connector parameters description: | Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. type: object required: - message properties: message: type: string description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. run_trigger_pagerduty: title: PagerDuty connector parameters description: Test an action that triggers a PagerDuty alert. type: object required: - eventAction properties: class: description: The class or type of the event. type: string example: cpu load component: description: The component of the source machine that is responsible for the event. type: string example: eth0 customDetails: description: Additional details to add to the event. type: object dedupKey: description: | All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string maxLength: 255 eventAction: description: The type of event. type: string enum: - trigger group: description: The logical grouping of components of a service. type: string example: app-stack links: description: A list of links to add to the event. type: array items: type: object properties: href: description: The URL for the link. type: string text: description: A plain text description of the purpose of the link. type: string severity: description: The severity of the event on the affected system. type: string enum: - critical - error - info - warning default: info source: description: | The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. type: string summary: description: A summery of the event. type: string maxLength: 1024 timestamp: description: An ISO-8601 timestamp that indicates when the event was detected or generated. type: string format: date-time run_addevent: title: The addEvent subaction type: object required: - subAction description: The `addEvent` subaction for ServiceNow ITOM connectors. properties: subAction: type: string description: The action to test. enum: - addEvent subActionParams: type: object description: The set of configuration properties for the action. properties: additional_info: type: string description: Additional information about the event. description: type: string description: The details about the event. event_class: type: string description: A specific instance of the source. message_key: type: string description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. metric_name: type: string description: The name of the metric. node: type: string description: The host that the event was triggered for. resource: type: string description: The name of the resource. severity: type: string description: The severity of the event. source: type: string description: The name of the event source type. time_of_event: type: string description: The time of the event. type: type: string description: The type of event. run_closealert: title: The closeAlert subaction type: object required: - subAction - subActionParams description: The `closeAlert` subaction for Opsgenie connectors. properties: subAction: type: string description: The action to test. enum: - closeAlert subActionParams: type: object required: - alias properties: alias: type: string description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. note: type: string description: Additional information for the alert. source: type: string description: The display name for the source of the alert. user: type: string description: The display name for the owner. run_closeincident: title: The closeIncident subaction type: object required: - subAction - subActionParams description: The `closeIncident` subaction for ServiceNow ITSM connectors. properties: subAction: type: string description: The action to test. enum: - closeIncident subActionParams: type: object required: - incident properties: incident: type: object anyOf: - required: - correlation_id - required: - externalId properties: correlation_id: type: string nullable: true description: | An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. maxLength: 100 default: '{{rule.id}}:{{alert.id}}' externalId: type: string nullable: true description: The unique identifier (`incidentId`) for the incident in ServiceNow. run_createalert: title: The createAlert subaction type: object required: - subAction - subActionParams description: The `createAlert` subaction for Opsgenie and TheHive connectors. properties: subAction: type: string description: The action to test. enum: - createAlert subActionParams: type: object properties: actions: type: array description: The custom actions available to the alert in Opsgenie connectors. items: type: string alias: type: string description: The unique identifier used for alert deduplication in Opsgenie. description: type: string description: A description that provides detailed information about the alert. details: type: object description: The custom properties of the alert in Opsgenie connectors. additionalProperties: true example: key1: value1 key2: value2 entity: type: string description: The domain of the alert in Opsgenie connectors. For example, the application or server name. message: type: string description: The alert message in Opsgenie connectors. note: type: string description: Additional information for the alert in Opsgenie connectors. priority: type: string description: The priority level for the alert in Opsgenie connectors. enum: - P1 - P2 - P3 - P4 - P5 responders: type: array description: | The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. items: type: object properties: id: type: string description: The identifier for the entity. name: type: string description: The name of the entity. type: type: string description: The type of responders, in this case `escalation`. enum: - escalation - schedule - team - user username: type: string description: A valid email address for the user. severity: type: integer minimum: 1 maximum: 4 description: | The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). source: type: string description: The display name for the source of the alert in Opsgenie and TheHive connectors. sourceRef: type: string description: A source reference for the alert in TheHive connectors. tags: type: array description: The tags for the alert in Opsgenie and TheHive connectors. items: type: string title: type: string description: | A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. tlp: type: integer minimum: 0 maximum: 4 default: 2 description: | The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). type: type: string description: The type of alert in TheHive connectors. user: type: string description: The display name for the owner. visibleTo: type: array description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. items: type: object required: - type properties: id: type: string description: The identifier for the entity. name: type: string description: The name of the entity. type: type: string description: Valid values are `team` and `user`. enum: - team - user username: type: string description: The user name. This property is required only when the `type` is `user`. run_fieldsbyissuetype: title: The fieldsByIssueType subaction type: object required: - subAction - subActionParams description: The `fieldsByIssueType` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - fieldsByIssueType subActionParams: type: object required: - id properties: id: type: string description: The Jira issue type identifier. example: 10024 run_getagentdetails: title: The getAgentDetails subaction type: object required: - subAction - subActionParams description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: subAction: type: string description: The action to test. enum: - getAgentDetails subActionParams: type: object description: The set of configuration properties for the action. required: - ids properties: ids: type: array description: An array of CrowdStrike agent identifiers. items: type: string run_getagents: title: The getAgents subaction type: object required: - subAction description: The `getAgents` subaction for SentinelOne connectors. properties: subAction: type: string description: The action to test. enum: - getAgents run_getchoices: title: The getChoices subaction type: object required: - subAction - subActionParams description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: subAction: type: string description: The action to test. enum: - getChoices subActionParams: type: object description: The set of configuration properties for the action. required: - fields properties: fields: type: array description: An array of fields. items: type: string run_getfields: title: The getFields subaction type: object required: - subAction description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: subAction: type: string description: The action to test. enum: - getFields run_getincident: title: The getIncident subaction type: object description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - getIncident subActionParams: type: object required: - externalId properties: externalId: type: string description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. example: 71778 run_issue: title: The issue subaction type: object required: - subAction description: The `issue` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issue subActionParams: type: object required: - id properties: id: type: string description: The Jira issue identifier. example: 71778 run_issues: title: The issues subaction type: object required: - subAction - subActionParams description: The `issues` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issues subActionParams: type: object required: - title properties: title: type: string description: The title of the Jira issue. run_issuetypes: title: The issueTypes subaction type: object required: - subAction description: The `issueTypes` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issueTypes run_postmessage: title: The postMessage subaction type: object description: | Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - postMessage subActionParams: type: object description: The set of configuration properties for the action. properties: channelIds: type: array maxItems: 1 description: | The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. items: type: string channels: type: array deprecated: true description: | The name of a channel that your Slack app has access to. maxItems: 1 items: type: string text: type: string description: | The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. minLength: 1 run_pushtoservice: title: The pushToService subaction type: object required: - subAction - subActionParams description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. properties: subAction: type: string description: The action to test. enum: - pushToService subActionParams: type: object description: The set of configuration properties for the action. properties: comments: type: array description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. items: type: object properties: comment: type: string description: A comment related to the incident. For example, describe how to troubleshoot the issue. commentId: type: integer description: A unique identifier for the comment. incident: type: object description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. properties: additional_fields: type: string nullable: true maxLength: 20 description: | Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. alertId: type: string description: The alert identifier for Swimlane connectors. caseId: type: string description: The case identifier for the incident for Swimlane connectors. caseName: type: string description: The case name for the incident for Swimlane connectors. category: type: string description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. correlation_display: type: string description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. correlation_id: type: string description: | The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. description: type: string description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. dest_ip: description: | A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string externalId: type: string description: | The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. id: type: string description: The external case identifier for Webhook - Case Management connectors. impact: type: string description: The impact of the incident for ServiceNow ITSM connectors. issueType: type: integer description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. labels: type: array items: type: string description: | The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. malware_hash: description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. oneOf: - type: string - type: array items: type: string malware_url: type: string description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string otherFields: type: object additionalProperties: true maxProperties: 20 description: | Custom field identifiers and their values for Jira connectors. parent: type: string description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. priority: type: string description: The priority of the incident in Jira and ServiceNow SecOps connectors. ruleName: type: string description: The rule name for Swimlane connectors. severity: type: integer description: | The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). short_description: type: string description: | A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. source_ip: description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string status: type: string description: The status of the incident for Webhook - Case Management connectors. subcategory: type: string description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. summary: type: string description: A summary of the incident for Jira connectors. tags: type: array items: type: string description: A list of tags for TheHive and Webhook - Case Management connectors. title: type: string description: | A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. tlp: type: integer minimum: 0 maximum: 4 default: 2 description: | The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). urgency: type: string description: The urgency of the incident for ServiceNow ITSM connectors. run_validchannelid: title: The validChannelId subaction type: object description: | Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - validChannelId subActionParams: type: object required: - channelId properties: channelId: type: string description: The Slack channel identifier. example: C123ABC456 securitySchemes: apiKeyAuth: description: You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https://www.elastic.co/docs/current/serverless/api-keys). in: header name: Authorization type: apiKey x-topics: - title: Kibana spaces content: | Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces. To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. For example: ```bash curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ -H "Authorization: ApiKey ${API_KEY}" ``` If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces).