Find Attack Discovery schedules that match the search criteria

GET /api/attack_discovery/schedules/_find
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/attack_discovery/schedules/_find

Refer to Spaces for more information.

Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields.

Query parameters

  • page number

    Page number to return (used for pagination). Defaults to 1.

  • per_page number

    Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10.

  • sort_field string(nonempty)

    Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'.

    Minimum length is 1.

  • sort_direction string

    Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'.

    Values are asc or desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • data array[object] Required

      Array of matched Attack Discovery schedule objects.

      Hide data attributes Show data attributes object

      An Attack Discovery schedule

      • actions array[object] Required

        The Attack Discovery schedule actions

        One of:
        Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction object Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction object
      • created_at string(date-time) Required

        The date the schedule was created

      • created_by string Required

        The name of the user that created the schedule

      • enabled boolean Required

        Indicates whether the schedule is enabled

      • id string Required

        UUID of Attack Discovery schedule

      • last_execution object

        An Attack Discovery schedule execution information

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the execution

        • duration number

          Duration of the execution

        • message string
        • status string Required

          An Attack Discovery schedule execution status

          Values are ok, active, error, unknown, or warning.

      • name string Required

        The name of the schedule

      • params object Required

        An Attack Discovery schedule params

        Hide params attributes Show params attributes object
        • alerts_index_pattern string Required

          The index pattern to get alerts from

        • api_config object Required

          LLM API configuration.

          Hide api_config attributes Show api_config attributes object
          • actionTypeId string Required

            Action type ID

          • connectorId string Required

            Connector ID

          • defaultSystemPromptId string

            Default system prompt ID

          • model string

            Model

          • provider string

            Provider

            Values are OpenAI, Azure OpenAI, or Other.

          • name string Required

            The name of the connector

        • combined_filter object

          Additional properties are allowed.

        • end string
        • filters array

          The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array.

        • query object

          An query condition to filter alerts

          Hide query attributes Show query attributes object
        • size number Required
        • start string
      • schedule object Required
        Hide schedule attribute Show schedule attribute object
        • interval string Required

          The schedule interval

      • updated_at string(date-time) Required

        The date the schedule was updated

      • updated_by string Required

        The name of the user that updated the schedule

    • page number Required

      Current page number of the paginated result set.

    • per_page number Required

      Number of items requested per page.

    • total number Required

      Total number of Attack Discovery schedules matching the query (across all pages).
  • 400 application/json

    Bad Request response.

    Hide response attributes Show response attributes object
    • error string

      Error type

    • message string

      Human-readable error message

    • status_code number

      HTTP status code
GET /api/attack_discovery/schedules/_find 
curl \
 --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"
Response examples (200) 
{
  "data": [
    {
      "actions": [],
      "created_at": "2023-10-31T10:00:00.000Z",
      "created_by": "elastic",
      "enabled": true,
      "id": "12345678-1234-1234-1234-123456789012",
      "name": "Daily Security Analysis",
      "params": {
        "alerts_index_pattern": ".alerts-security.alerts-default",
        "api_config": {
          "actionTypeId": "bedrock",
          "connectorId": "my-bedrock-connector",
          "name": "Claude 3.5 Sonnet"
        },
        "end": "now",
        "size": 100,
        "start": "now-24h"
      },
      "schedule": {
        "interval": "24h"
      },
      "updated_at": "2023-10-31T10:00:00.000Z",
      "updated_by": "elastic"
    }
  ],
  "page": 1,
  "per_page": 10,
  "total": 1
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid request payload.",
  "status_code": 400
}