Add and remove detection alert tags

POST /api/detection_engine/signals/tags

Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/detection_engine/signals/tags

Refer to Spaces for more information.

Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request.

You cannot add and remove the same alert tag in the same request.

application/json

Body Required

An object containing tags to add or remove and alert ids the changes will be applied

ids array[string(nonempty)] Required

A list of alerts ids.

At least 1 element. Minimum length of each is 1.
tags object Required

Object with list of tags to add and remove.
Hide tags attributes Show tags attributes object
- tags_to_add array[string(nonempty)] Required
  
  List of keywords to organize related alerts into categories that you can filter and group.
  
  Minimum length of each is 1.
- tags_to_remove array[string(nonempty)] Required
  
  List of keywords to organize related alerts into categories that you can filter and group.
  
  Minimum length of each is 1.

Responses

200 application/json

Successful response

Elasticsearch update by query response

Additional properties are allowed.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/tags

curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/tags' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":["Duplicate"],"tags_to_remove":[]}}'

Request examples

{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [
      "Duplicate"
    ],
    "tags_to_remove": []
  }
}

{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [],
    "tags_to_remove": [
      "Duplicate"
    ]
  }
}

Response examples (200)

{
  "batches": "1,",
  "deleted": "0,",
  "failures": [],
  "noops": "0,",
  "requests_per_second": "-1,",
  "retries": {
    "bulk": "0,",
    "search": 0
  },
  "throttled_millis": "0,",
  "throttled_until_millis": "0,",
  "timed_out": "false,",
  "took": "68,",
  "total": "1,",
  "updated": "1,",
  "version_conflicts": "0,"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body].tags: cannot add and remove the same tag in a single request",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}