Assign and unassign users from detection alerts

POST /api/detection_engine/signals/assignees

Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/detection_engine/signals/assignees

Refer to Spaces for more information.

Assign users to detection alerts, and unassign them from alerts.

You cannot add and remove the same assignee in the same request.

application/json

Body Required

User profile IDs to add or remove on each listed alert document ID.

assignees object Required
Hide assignees attributes Show assignees attributes object
- add array[string(nonempty)] Required
  
  A list of user profile uids to assign. Users need to activate their user profile by logging into Kibana at least once.
  
  Minimum length of each is 1.
- remove array[string(nonempty)] Required
  
  A list of user profile uids to unassign. Users need to activate their user profile by logging into Kibana at least once.
  
  Minimum length of each is 1.
ids array[string(nonempty)] Required

A list of alerts ids.

At least 1 element. Minimum length of each is 1.

Responses

200 application/json

Indicates a successful call.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/assignees

curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/assignees' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]},"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"]}'

Request examples

{
  "assignees": {
    "add": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ],
    "remove": []
  },
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ]
}

{
  "assignees": {
    "add": [],
    "remove": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ]
  },
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ]
}

Response examples (200)

{
  "batches": 1,
  "deleted": 0,
  "failures": [],
  "noops": 0,
  "requests_per_second": -1,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "throttled_until_millis": 0,
  "timed_out": false,
  "took": 76,
  "total": 1,
  "updated": 1,
  "version_conflicts": 0
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body].ids: at least one alert id is required to update assignees",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections",
  "statusCode": 403
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}