POST /api/attack_discovery/_bulk
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/attack_discovery/_bulk

Refer to Spaces for more information.

Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert.

application/json

Body Required

Bulk update parameters for Attack discoveries

  • update object Required

    Configuration object containing all parameters for the bulk update operation

    Hide update attributes Show update attributes object
    • enable_field_rendering boolean

      Enables a markdown syntax used to render pivot fields, for example {{ user.name james }}. When disabled, the same example would be rendered as james. This is primarily used for Attack Discovery views within Kibana. Defaults to false.

      Default value is false.

    • ids array[string] Required

      Array of Attack Discovery IDs to update

    • kibana_alert_workflow_status string

      When provided, update the kibana.alert.workflow_status of the attack discovery alerts

      Values are open, acknowledged, or closed.

    • visibility string

      When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field

      Values are not_shared or shared.

    • with_replacements boolean

      When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to true.

      Default value is true.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data array[object] Required

      Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request.

      Hide data attributes Show data attributes object

      An attack discovery that's also an alert (Public API with snake_case)

      • alert_ids array[string] Required

        The alert IDs that the attack discovery is based on

      • alert_rule_uuid string

        The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)

      • alert_start string

        The optional time the attack discovery alert was created

      • alert_updated_at string

        The optional time the attack discovery alert was last updated

      • alert_updated_by_user_id string

        The optional id of the user who last updated the attack discovery alert

      • alert_updated_by_user_name string

        The optional username of the user who updated the attack discovery alert

      • alert_workflow_status string

        The optional kibana.alert.workflow_status of this attack discovery

      • alert_workflow_status_updated_at string

        The optional time the attack discovery alert workflow status was last updated

      • assignees array[string]

        The optional array of user-IDs who have been assigned the attack

      • connector_id string Required

        The ID of the connector that generated the attack discovery

      • connector_name string Required

        The (human readable) name of the connector that generated the attack discovery

      • details_markdown string Required

        Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.

      • entity_summary_markdown string

        An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax

      • generation_uuid string Required

        The generation ID of the run that created the attack discovery

      • id string Required

        The unique ID of the attack discovery

      • index string

        The concrete Elasticsearch index where this attack discovery is stored

      • mitre_attack_tactics array[string]

        An optional array of MITRE ATT&CK tactic for the attack discovery

      • replacements object

        Replacements object used to anonymize/deanonymize messages

        Hide replacements attribute Show replacements attribute object
        • * string Additional properties
      • risk_score integer

        The optional, (but typically populated after generation) risk score of the alert

      • summary_markdown string Required

        A markdown summary of attack discovery, using the same syntax

      • tags array[string]

        The optional array of tags assigned the attack

      • timestamp string(nonempty) Required

        A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.

        Minimum length is 1.

      • title string Required

        A title for the attack discovery, in plain text

      • user_id string

        The optional id of the user who generated the attack discovery

      • user_name string

        The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)

      • users array[object]

        The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.

        Hide users attributes Show users attributes object

        Could be any string, not necessarily a UUID.

        • id string

          User id.

        • name string

          User name.
  • 400 application/json

    Bad Request response.

    Hide response attributes Show response attributes object
    • error string Required

      Error type

    • message string Required

      Human-readable error message describing what went wrong with the bulk update request

    • status_code number Required

      HTTP status code
POST /api/attack_discovery/_bulk 
curl \
 --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data-raw '{
   "update": {
     "ids": [
       "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f",
       "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7"
     ],
     "kibana_alert_workflow_status": "acknowledged"
   }
 }'
Request example 
{
  "update": {
    "enable_field_rendering": false,
    "ids": [
      "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f",
      "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7"
    ],
    "kibana_alert_workflow_status": "acknowledged",
    "with_replacements": true
  }
}
Response examples (200) 
{
  "data": [
    {
      "alert_ids": [
        "alert-abc-1"
      ],
      "alert_workflow_status": "acknowledged",
      "connector_id": "gen-ai-connector",
      "connector_name": "OpenAI GPT-4",
      "details_markdown": "- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.",
      "generation_uuid": "550e8400-e29b-41d4-a716-446655440000",
      "id": "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f",
      "summary_markdown": "A user account was compromised using mimikatz to dump credentials.",
      "timestamp": "2024-01-15T10:00:00.000Z",
      "title": "Credential theft via mimikatz"
    }
  ]
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid request parameters.",
  "status_code": 400
}