PATCH /api/risk_score/engine/saved_object/configure
Api key auth

Spaces method and path for this operation:

patch /s/{space_id}/api/risk_score/engine/saved_object/configure

Refer to Spaces for more information.

Configuring the Risk Engine Saved Object

application/json

Body Required

  • enable_reset_to_zero boolean
  • exclude_alert_statuses array[string]
  • exclude_alert_tags array[string]
  • filters array[object]
    Hide filters attributes Show filters attributes object
    • entity_types array[string] Required

      Values are host, user, or service.

    • filter string Required

      KQL filter string

  • page_size integer

    Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default).

    Minimum value is 100, maximum value is 10000.

  • range object
    Hide range attributes Show range attributes object
    • end string
    • start string

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • risk_engine_saved_object_configured boolean
  • 400 application/json

    Task manager is unavailable

    Hide response attributes Show response attributes object
    • message string Required
    • status_code integer Required

      Minimum value is 400.
  • default application/json

    Unexpected error

    Hide response attributes Show response attributes object
    • errors array[object] Required
      Hide errors attributes Show errors attributes object
      • error string Required
      • seq integer Required
    • risk_engine_saved_object_configured boolean Required
PATCH /api/risk_score/engine/saved_object/configure 
curl \
 --request PATCH 'https://<KIBANA_URL>/api/risk_score/engine/saved_object/configure' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"enable_reset_to_zero":false,"exclude_alert_statuses":["closed"],"exclude_alert_tags":["low-priority"],"filters":[{"entity_types":["host","user"],"filter":"host.name: *"}],"range":{"end":"now","start":"now-30d"}}'
Request example 
{
  "enable_reset_to_zero": false,
  "exclude_alert_statuses": [
    "closed"
  ],
  "exclude_alert_tags": [
    "low-priority"
  ],
  "filters": [
    {
      "entity_types": [
        "host",
        "user"
      ],
      "filter": "host.name: *"
    }
  ],
  "range": {
    "end": "now",
    "start": "now-30d"
  }
}
Response examples (200) 
{
  "risk_engine_saved_object_configured": true
}
Response examples (400) 
{
  "message": "Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again.",
  "status_code": 400
}
Response examples (default) 
{
  "errors": [
    {
      "error": "Internal server error",
      "seq": 1
    }
  ],
  "risk_engine_saved_object_configured": false
}