Create an agentless policy | Kibana Serverless API documentation

Create an agentless policy Technical Preview

View as Markdown

POST /api/fleet/agentless_policies

Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/fleet/agentless_policies

Refer to Spaces for more information.

Create an agentless policy

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

format string

The format of the response package policy.

Values are legacy or simplified. Default value is simplified.

application/json

Body

additional_datastreams_permissions array[string] | null

Additional datastream permissions, that will be added to the agent policy.
cloud_connector object

Additional properties are NOT allowed.
Hide cloud_connector attributes Show cloud_connector attributes object
- cloud_connector_id string
  
  ID of an existing cloud connector to reuse. If not provided, a new connector will be created.
- enabled boolean
  
  Whether cloud connectors are enabled for this policy.
  
  Default value is false.
- name string
  
  Optional name for the cloud connector. If not provided, will be auto-generated from credentials.
description string

Policy description.
force boolean

Force package policy creation even if the package is not verified, or if the agent policy is managed.
id string

Policy unique identifier.
inputs object

Package policy inputs. Refer to the integration documentation to know which inputs are available.
Hide inputs attribute Show inputs attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  Enable or disable that input. Defaults to true (enabled).
  
  streams object
  
  Input streams. Refer to the integration documentation to know which streams are available.
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  Enable or disable that stream. Defaults to true (enabled).
  
  vars object
  
  Input/stream level variable. Refer to the integration documentation for more information.
  
  vars object
  
  Input/stream level variable. Refer to the integration documentation for more information.
name string Required

Unique name for the policy.
namespace string

Policy namespace. When not specified, it inherits the agent policy namespace.
package object Required

Additional properties are NOT allowed.
Hide package attributes Show package attributes object
- experimental_data_stream_features array[object]
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
- fips_compatible boolean
- name string Required
  
  Package name
- requires_root boolean
- title string
- version string Required
  
  Package version
vars object

Input/stream level variable. Refer to the integration documentation for more information.

Responses

200 application/json

Indicates a successful response
Hide response attribute Show response attribute object
- item object Required
  
  The created agentless package policy.
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  cloud_connector_id string | null
  
  ID of the cloud connector associated with this package policy.
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  Package policy unique identifier.
  
  inputs array[object] | object Required
  
  Package policy inputs.
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs. Refer to the integration documentation to know which inputs are available.
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  Enable or disable that input. Defaults to true (enabled).
  
  streams object
  
  Input streams. Refer to the integration documentation to know which streams are available.
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  Enable or disable that stream. Defaults to true (enabled).
  
  vars object
  
  Input/stream level variable. Refer to the integration documentation for more information.
  
  vars object
  
  Input/stream level variable. Refer to the integration documentation for more information.
  
  is_managed boolean
  
  name string Required
  
  Unique name for the package policy.
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  fips_compatible boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  ID of the agent policy which the package policy will be added to.
  
  policy_ids array[string]
  
  IDs of the agent policies which that package policy will be added to.
  
  revision number Required
  
  Package policy revision.
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  supports_cloud_connector boolean | null
  
  Indicates whether the package policy supports cloud connectors.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Package level variable.
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Input/stream level variable. Refer to the integration documentation for more information.
  
  version string
  
  Package policy ES version.
400 application/json

Bad Request
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
409 application/json

Conflict
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agentless_policies

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agentless_policies' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"ess_billing-1","inputs":{"ESS Billing-cel":{"vars":{"api_key":"\u003cREPLACE_WITH_YOUR_API_KEY\u003e","organization_id":"1234"},"enabled":true,"streams":{"ess_billing.billing":{"vars":{"tags":["forwarded","billing"],"lookbehind":365,"hide_sensitive":true,"http_client_timeout":"30s"},"enabled":true},"ess_billing.credits":{"enabled":false}}}},"package":{"name":"ess_billing","version":"1.6.0"},"namespace":"default","description":"test"}'

Request examples

Example request to create agentless policies

{
  "name": "ess_billing-1",
  "inputs": {
    "ESS Billing-cel": {
      "vars": {
        "api_key": "<REPLACE_WITH_YOUR_API_KEY>",
        "organization_id": "1234"
      },
      "enabled": true,
      "streams": {
        "ess_billing.billing": {
          "vars": {
            "tags": [
              "forwarded",
              "billing"
            ],
            "lookbehind": 365,
            "hide_sensitive": true,
            "http_client_timeout": "30s"
          },
          "enabled": true
        },
        "ess_billing.credits": {
          "enabled": false
        }
      }
    }
  },
  "package": {
    "name": "ess_billing",
    "version": "1.6.0"
  },
  "namespace": "default",
  "description": "test"
}

Example request to create agentless policy reusing an existing AWS cloud connector

{
  "name": "cspm-aws-reuse-policy",
  "vars": {
    "posture": "cspm",
    "deployment": "aws"
  },
  "inputs": {
    "cspm-cloudbeat/cis_aws": {
      "vars": {
        "cloud_formation_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"
      },
      "enabled": true,
      "streams": {
        "cloud_security_posture.findings": {
          "vars": {
            "role_arn": "arn:aws:iam::123456789012:role/TestRole",
            "external_id": {
              "id": "ABCDEFGHIJKLMNOPQRST",
              "isSecretRef": true
            },
            "aws.account_type": "organization-account",
            "aws.credentials.type": "cloud_connector",
            "aws.supports_cloud_connectors": true
          },
          "enabled": true
        }
      }
    },
    "cspm-cloudbeat/cis_gcp": {
      "enabled": false
    },
    "cspm-cloudbeat/cis_azure": {
      "enabled": false
    }
  },
  "package": {
    "name": "cloud_security_posture",
    "version": "3.1.1"
  },
  "namespace": "default",
  "description": "CSPM integration for AWS reusing existing cloud connector",
  "cloud_connector": {
    "target_csp": "aws",
    "cloud_connector_id": "existing-aws-connector-id"
  }
}

Example request to create agentless policy with AWS cloud connector

{
  "name": "cspm-aws-policy",
  "vars": {
    "posture": "cspm",
    "deployment": "aws"
  },
  "inputs": {
    "cspm-cloudbeat/cis_aws": {
      "vars": {
        "cloud_formation_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"
      },
      "enabled": true,
      "streams": {
        "cloud_security_posture.findings": {
          "vars": {
            "role_arn": "arn:aws:iam::123456789012:role/TestRole",
            "external_id": {
              "id": "ABCDEFGHIJKLMNOPQRST",
              "isSecretRef": true
            },
            "aws.account_type": "organization-account",
            "aws.credentials.type": "cloud_connector",
            "aws.supports_cloud_connectors": true
          },
          "enabled": true
        }
      }
    },
    "cspm-cloudbeat/cis_gcp": {
      "enabled": false
    },
    "cspm-cloudbeat/cis_azure": {
      "enabled": false
    }
  },
  "package": {
    "name": "cloud_security_posture",
    "version": "3.1.1"
  },
  "namespace": "default",
  "description": "CSPM integration for AWS with cloud connector",
  "cloud_connector": {
    "target_csp": "aws"
  }
}

Example request to create agentless policy with Azure cloud connector

{
  "name": "cspm-azure-policy",
  "vars": {
    "posture": "cspm",
    "deployment": "azure"
  },
  "inputs": {
    "cspm-cloudbeat/cis_aws": {
      "enabled": false
    },
    "cspm-cloudbeat/cis_gcp": {
      "enabled": false
    },
    "cspm-cloudbeat/cis_azure": {
      "enabled": true,
      "streams": {
        "cloud_security_posture.findings": {
          "vars": {
            "client_id": {
              "id": "client-secret-id",
              "isSecretRef": true
            },
            "tenant_id": {
              "id": "tenant-secret-id",
              "isSecretRef": true
            },
            "azure.account_type": "organization-account",
            "azure_credentials_cloud_connector_id": {
              "type": "text",
              "value": "existing-azure-credentials-connector-id"
            }
          },
          "enabled": true
        }
      }
    }
  },
  "package": {
    "name": "cloud_security_posture",
    "version": "3.1.1"
  },
  "namespace": "default",
  "description": "CSPM integration for Azure with cloud connector",
  "cloud_connector": {
    "target_csp": "azure"
  }
}

Response examples (200)

Example response showing the successful result of communication initialisation over MCP protocol

{
  "item": {
    "id": "d52a7812-5736-4fdc-aed8-72152afa1ffa",
    "name": "ess_billing-1",
    "inputs": {
      "ESS Billing-cel": {
        "vars": {
          "url": "https://billing.elastic-cloud.com",
          "api_key": {
            "id": "QY1sWpoBbWcMW-edr0Ee",
            "isSecretRef": true
          },
          "organization_id": "1234"
        },
        "enabled": true,
        "streams": {
          "ess_billing.billing": {
            "vars": {
              "tags": [
                "forwarded",
                "billing"
              ],
              "lookbehind": 365,
              "hide_sensitive": true,
              "http_client_timeout": "30s"
            },
            "enabled": true
          },
          "ess_billing.credits": {
            "enabled": false
          }
        }
      }
    },
    "enabled": true,
    "package": {
      "name": "ess_billing",
      "title": "Elasticsearch Service Billing",
      "version": "1.6.0"
    },
    "version": "WzE0OTgsMV0=",
    "revision": 1,
    "namespace": "default",
    "created_at": "2025-11-06T18:27:43.541Z",
    "created_by": "test_user",
    "updated_at": "2025-11-06T18:27:43.541Z",
    "updated_by": "test_user",
    "description": "test",
    "secret_references": [
      {
        "id": "QY1sWpoBbWcMW-edr0Ee"
      }
    ],
    "supports_agentless": true
  }
}

Example response for AWS cloud connector integration

{
  "item": {
    "id": "aws-policy-12345",
    "name": "cspm-aws-policy",
    "vars": {
      "posture": "cspm",
      "deployment": "aws"
    },
    "inputs": {
      "cspm-cloudbeat/cis_aws": {
        "vars": {
          "cloud_formation_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"
        },
        "enabled": true,
        "streams": {
          "cloud_security_posture.findings": {
            "vars": {
              "role_arn": "arn:aws:iam::123456789012:role/TestRole",
              "external_id": {
                "id": "secret-external-id-123",
                "isSecretRef": true
              },
              "aws.account_type": "organization-account",
              "aws.credentials.type": "cloud_connector"
            },
            "enabled": true
          }
        }
      },
      "cspm-cloudbeat/cis_gcp": {
        "enabled": false
      },
      "cspm-cloudbeat/cis_azure": {
        "enabled": false
      }
    },
    "enabled": true,
    "package": {
      "name": "cloud_security_posture",
      "title": "Cloud Security Posture Management",
      "version": "3.1.1"
    },
    "version": "WzE0OTgsMV0=",
    "revision": 1,
    "namespace": "default",
    "created_at": "2025-11-06T18:27:43.541Z",
    "created_by": "test_user",
    "updated_at": "2025-11-06T18:27:43.541Z",
    "updated_by": "test_user",
    "description": "CSPM integration for AWS with cloud connector",
    "secret_references": [
      {
        "id": "secret-external-id-123"
      }
    ],
    "cloud_connector_id": "aws-connector-67890",
    "supports_agentless": true,
    "supports_cloud_connector": true
  }
}

Example response for Azure cloud connector integration

{
  "item": {
    "id": "azure-policy-12345",
    "name": "cspm-azure-policy",
    "vars": {
      "posture": "cspm",
      "deployment": "azure"
    },
    "inputs": {
      "cspm-cloudbeat/cis_aws": {
        "enabled": false
      },
      "cspm-cloudbeat/cis_gcp": {
        "enabled": false
      },
      "cspm-cloudbeat/cis_azure": {
        "enabled": true,
        "streams": {
          "cloud_security_posture.findings": {
            "vars": {
              "client_id": {
                "id": "client-secret-id-456",
                "isSecretRef": true
              },
              "tenant_id": {
                "id": "tenant-secret-id-123",
                "isSecretRef": true
              },
              "azure.account_type": "organization-account",
              "azure_credentials_cloud_connector_id": {
                "type": "text",
                "value": "existing-azure-credentials-connector-id"
              }
            },
            "enabled": true
          }
        }
      }
    },
    "enabled": true,
    "package": {
      "name": "cloud_security_posture",
      "title": "Cloud Security Posture Management",
      "version": "3.1.1"
    },
    "version": "WzE0OTgsMV0=",
    "revision": 1,
    "namespace": "default",
    "created_at": "2025-11-06T18:27:43.541Z",
    "created_by": "test_user",
    "updated_at": "2025-11-06T18:27:43.541Z",
    "updated_by": "test_user",
    "description": "CSPM integration for Azure with cloud connector",
    "secret_references": [
      {
        "id": "tenant-secret-id-123"
      },
      {
        "id": "client-secret-id-456"
      }
    ],
    "cloud_connector_id": "azure-connector-67890",
    "supports_agentless": true,
    "supports_cloud_connector": true
  }
}

Response examples (400)

Example of a generic error response

{
  "error": "Bad Request",
  "message": "An error message describing what went wrong",
  "statusCode": 400
}

Response examples (409)

Example of a conflict error response

{
  "error": "Conflict",
  "message": "An error message describing what went wrong",
  "statusCode": 409
}

Create an agentless policy Technical Preview

Headers

Query parameters

Body

Responses

inputs array[object] | object Required

vars object