Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata

GET /api/attack_discovery/generations/{execution_uuid}
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}

Refer to Spaces for more information.

Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics.

Path parameters

  • execution_uuid string(nonempty) Required

    The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation.

    Minimum length is 1.

Query parameters

  • enable_field_rendering boolean

    Enables a markdown syntax used to render pivot fields, for example {{ user.name james }}. When disabled, the same example would be rendered as james. This is primarily used for Attack Discovery views within Kibana. Defaults to false.

    Default value is false.

  • with_replacements boolean

    When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to true.

    Default value is true.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • data array[object] Required

      Array of Attack discoveries generated during this execution.

      Hide data attributes Show data attributes object

      An attack discovery that's also an alert (Public API with snake_case)

      • alert_ids array[string] Required

        The alert IDs that the attack discovery is based on

      • alert_rule_uuid string

        The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)

      • alert_start string

        The optional time the attack discovery alert was created

      • alert_updated_at string

        The optional time the attack discovery alert was last updated

      • alert_updated_by_user_id string

        The optional id of the user who last updated the attack discovery alert

      • alert_updated_by_user_name string

        The optional username of the user who updated the attack discovery alert

      • alert_workflow_status string

        The optional kibana.alert.workflow_status of this attack discovery

      • alert_workflow_status_updated_at string

        The optional time the attack discovery alert workflow status was last updated

      • assignees array[string]

        The optional array of user-IDs who have been assigned the attack

      • connector_id string Required

        The ID of the connector that generated the attack discovery

      • connector_name string Required

        The (human readable) name of the connector that generated the attack discovery

      • details_markdown string Required

        Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.

      • entity_summary_markdown string

        An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax

      • generation_uuid string Required

        The generation ID of the run that created the attack discovery

      • id string Required

        The unique ID of the attack discovery

      • index string

        The concrete Elasticsearch index where this attack discovery is stored

      • mitre_attack_tactics array[string]

        An optional array of MITRE ATT&CK tactic for the attack discovery

      • replacements object

        Replacements object used to anonymize/deanonymize messages

        Hide replacements attribute Show replacements attribute object
        • * string Additional properties
      • risk_score integer

        The optional, (but typically populated after generation) risk score of the alert

      • summary_markdown string Required

        A markdown summary of attack discovery, using the same syntax

      • tags array[string]

        The optional array of tags assigned the attack

      • timestamp string(nonempty) Required

        A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.

        Minimum length is 1.

      • title string Required

        A title for the attack discovery, in plain text

      • user_id string

        The optional id of the user who generated the attack discovery

      • user_name string

        The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)

      • users array[object]

        The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.

        Hide users attributes Show users attributes object

        Could be any string, not necessarily a UUID.

        • id string

          User id.

        • name string

          User name.

    • generation object
      Hide generation attributes Show generation attributes object
      • alerts_context_count number

        The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation

      • connector_id string Required

        The connector id (event.dataset) for this generation

      • connector_stats object

        Stats applicable to the connector for this generation

        Hide connector_stats attributes Show connector_stats attributes object
        • average_successful_duration_nanoseconds number

          The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user

        • successful_generations number

          The number of successful generations for the same connector id, for the current user

      • discoveries number Required

        The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation

      • end string

        When generation ended (max event.end)

      • execution_uuid string Required

        The unique identifier (kibana.alert.rule.execution.uuid) for the generation

      • loading_message string Required

        Generation loading message (kibana.alert.rule.execution.status)

      • reason string

        Reason for failed generations (event.reason)

      • start string Required

        When generation started (min event.start)

      • status string Required

        The status of the attack discovery generation

        Values are canceled, dismissed, failed, started, or succeeded.
  • 400 application/json

    Bad Request response.

    Hide response attributes Show response attributes object
    • error string Required

      Error type

    • message string Required

      Human-readable error message describing what went wrong with the request

    • status_code number Required

      HTTP status code
GET /api/attack_discovery/generations/{execution_uuid} 
curl \
 --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"
Response examples (200) 
{
  "data": [
    {
      "id": "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f",
      "title": "Suspicious process execution on host-01"
    }
  ],
  "generation": {
    "alerts_context_count": 50,
    "discoveries": 1,
    "end": "2025-09-29T06:42:44.810Z",
    "execution_uuid": "2e13f386-46cf-4d65-9e2b-68609e132ba5",
    "start": "2025-09-29T06:42:08.962Z",
    "status": "succeeded"
  }
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid request parameters.",
  "status_code": 400
}