Introduction | Kibana API documentation (v8)

Get the alerting framework health

GET /api/alerting/_health

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- alerting_framework_health object
  
  Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.
  
  Hide alerting_framework_health attributes Show alerting_framework_health attributes object
  
  decryption_health object
  
  The timestamp and status of the rule decryption.
  
  Hide decryption_health attributes Show decryption_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
  
  execution_health object
  
  The timestamp and status of the rule run.
  
  Hide execution_health attributes Show execution_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
  
  read_health object
  
  The timestamp and status of the rule reading events.
  
  Hide read_health attributes Show read_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
- has_permanent_encryption_key boolean
  
  If false, the encrypted saved object plugin does not have a permanent encryption key.
- is_sufficiently_secure boolean
  
  If false, security is enabled but TLS is not.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerting/_health

curl \
 --request GET 'https://localhost:5601/api/alerting/_health' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}

Get the rule types

GET /api/alerting/rule_types

Api key auth Basic auth

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- action_groups array[object]
  
  An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.
  
  Hide action_groups attributes Show action_groups attributes object
  
  id string
  
  name string
- action_variables object
  
  A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.
  
  Hide action_variables attributes Show action_variables attributes object
  
  context array[object]
  
  Hide context attributes Show context attributes object
  
  description string
  
  name string
  
  useWithTripleBracesInTemplates boolean
  
  params array[object]
  
  Hide params attributes Show params attributes object
  
  description string
  
  name string
  
  state array[object]
  
  Hide state attributes Show state attributes object
  
  description string
  
  name string
- alerts object
  
  Details for writing alerts as data documents for this rule type.
  
  Hide alerts attributes Show alerts attributes object
  
  context string
  
  The namespace for this rule type.
  
  Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.
  
  dynamic string
  
  Indicates whether new fields are added dynamically.
  
  Values are false, runtime, strict, or true.
  
  isSpaceAware boolean
  
  Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.
  
  mappings object
  
  Hide mappings attribute Show mappings attribute object
  
  fieldMap object
  
  Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.
  
  Hide fieldMap attribute Show fieldMap attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  array boolean
  
  Indicates whether the field is an array.
  
  dynamic boolean
  
  Indicates whether it is a dynamic field mapping.
  
  format string
  
  Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.
  
  ignore_above integer
  
  Specifies the maximum length of a string field. Longer strings are not indexed or stored.
  
  index boolean
  
  Indicates whether field values are indexed.
  
  path string
  
  TBD
  
  properties object
  
  Details about the object properties. This property is applicable when type is object.
  
  Hide properties attribute Show properties attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string
  
  The data type for each object property.
  
  required boolean
  
  Indicates whether the field is required.
  
  scaling_factor integer
  
  The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.
  
  type string
  
  Specifies the data type for the field.
  
  secondaryAlias string
  
  A secondary alias. It is typically used to support the signals alias for detection rules.
  
  shouldWrite boolean
  
  Indicates whether the rule should write out alerts as data.
  
  useEcs boolean
  
  Indicates whether to include the ECS component template for the alerts.
  
  useLegacyAlerts boolean
  
  Indicates whether to include the legacy component template for the alerts.
  
  Default value is false.
- authorized_consumers object
  
  The list of the plugins IDs that have access to the rule type.
  
  Hide authorized_consumers attributes Show authorized_consumers attributes object
  
  alerts object
  
  Hide alerts attributes Show alerts attributes object
  
  all boolean
  
  read boolean
  
  apm object
  
  Hide apm attributes Show apm attributes object
  
  all boolean
  
  read boolean
  
  discover object
  
  Hide discover attributes Show discover attributes object
  
  all boolean
  
  read boolean
  
  infrastructure object
  
  Hide infrastructure attributes Show infrastructure attributes object
  
  all boolean
  
  read boolean
  
  logs object
  
  Hide logs attributes Show logs attributes object
  
  all boolean
  
  read boolean
  
  ml object
  
  Hide ml attributes Show ml attributes object
  
  all boolean
  
  read boolean
  
  monitoring object
  
  Hide monitoring attributes Show monitoring attributes object
  
  all boolean
  
  read boolean
  
  siem object
  
  Hide siem attributes Show siem attributes object
  
  all boolean
  
  read boolean
  
  slo object
  
  Hide slo attributes Show slo attributes object
  
  all boolean
  
  read boolean
  
  stackAlerts object
  
  Hide stackAlerts attributes Show stackAlerts attributes object
  
  all boolean
  
  read boolean
  
  uptime object
  
  Hide uptime attributes Show uptime attributes object
  
  all boolean
  
  read boolean
- category string
  
  The rule category, which is used by features such as category-specific maintenance windows.
  
  Values are management, observability, or securitySolution.
- default_action_group_id string
  
  The default identifier for the rule type group.
- does_set_recovery_context boolean
  
  Indicates whether the rule passes context variables to its recovery action.
- enabled_in_license boolean
  
  Indicates whether the rule type is enabled or disabled based on the subscription.
- has_alerts_mappings boolean
  
  Indicates whether the rule type has custom mappings for the alert data.
- has_fields_for_a_a_d boolean
- id string
  
  The unique identifier for the rule type.
- is_exportable boolean
  
  Indicates whether the rule type is exportable in Stack Management > Saved Objects.
- minimum_license_required string
  
  The subscriptions required to use the rule type.
- name string
  
  The descriptive name of the rule type.
- producer string
  
  An identifier for the application that produces this rule type.
- recovery_action_group object
  
  An action group to use when an alert goes from an active state to an inactive one.
  
  Hide recovery_action_group attributes Show recovery_action_group attributes object
  
  id string
  
  name string
- rule_task_timeout string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerting/rule_types

curl \
 --request GET 'https://localhost:5601/api/alerting/rule_types' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]

Create a rule

POST /api/alerting/rule/{id}

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body

actions array[object]

An action that runs under defined conditions.

Default value is [] (empty).
Hide actions attributes Show actions attributes object
- alerts_filter object
  
  Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
  
  Additional properties are NOT allowed.
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
- frequency object
  
  Additional properties are NOT allowed.
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
- id string Required
  
  The identifier for the connector saved object.
- params object
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Default value is {} (empty). Additional properties are allowed.
- use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
- uuid string
  
  A universally unique identifier (UUID) for the action.
alert_delay object

Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

Additional properties are NOT allowed.
Hide alert_delay attribute Show alert_delay attribute object
- active number Required
  
  The number of consecutive runs that must meet the rule conditions.
consumer string Required

The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
enabled boolean

Indicates whether you want to run the rule on an interval basis after it is created.

Default value is true.
flapping object | null

When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

Additional properties are NOT allowed.
Hide flapping attributes Show flapping attributes object | null
- look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
- status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
name string Required

The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when string | null

Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
rule_type_id string Required

The rule type identifier.
schedule object Required

The check interval, which specifies how frequently the rule conditions are checked.

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
tags array[string]

The tags for the rule.

Default value is [] (empty).
throttle string | null

Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
params object

The parameters for the rule.
Any of:
params_property_apm_anomaly object params_property_apm_error_count object params_property_apm_transaction_duration object params_property_apm_transaction_error_rate object params_es_query_dsl_rule object params_es_query_esql_rule object params_es_query_kql_rule object params_index_threshold_rule object params_property_infra_inventory object Count object Ratio object params_property_infra_metric_threshold object params_property_slo_burn_rate object params_property_synthetics_uptime_tls object params_property_synthetics_monitor_status object
Hide attributes Show attributes

serviceName string

Filter the rule to apply to a specific service name.

transactionType string

Filter the rule to apply to a specific transaction type.

windowSize number Required

The size of the time window (in windowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window. For example: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the rule to apply to a specific environment.

anomalySeverityType string Required

The severity of anomalies that will generate alerts: critical, major, minor, or warning.

Values are critical, major, minor, or warning.
Hide attributes Show attributes

serviceName string

Filter the errors coming from your application to apply the rule to a specific service.

windowSize number Required

The time frame in which the errors must occur (in windowUnit units). Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the errors coming from your application to apply the rule to a specific environment.

threshold number Required

The error count threshold.

groupBy array[string]

Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.

Values are service.name, service.environment, transaction.name, or error.grouping_key. Default value is ["service.name", "service.environment"].

errorGroupingKey string

Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties.
Hide attributes Show attributes

serviceName string

Filter the rule to apply to a specific service.

transactionType string

Filter the rule to apply to a specific transaction type.

transactionName string

Filter the rule to apply to a specific transaction name.

windowSize number Required

The size of the time window (in windowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window. For example: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the rule to apply to a specific environment.

threshold number Required

The latency threshold value.

groupBy array[string]

Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].

aggregationType string Required

The type of aggregation to perform.

Values are avg, 95th, or 99th.
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

transactionName string

The transaction name from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

threshold number Required

The error rate threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].
An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esQuery string Required

The query definition, which uses Elasticsearch Query DSL.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] | string Required

The indices to query.

One of:
array-1 array[string] string-2 string

searchType string

The type of query, in this case a query that uses Elasticsearch Query DSL.

Value is esQuery. Default value is esQuery.

size integer

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esqlQuery object Required

Hide esqlQuery attribute Show esqlQuery attribute object

esql string Required

The query definition, which uses Elasticsearch Query Language.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchType string Required

The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).

Value is esqlQuery.

size integer Required

When searchType is esqlQuery, this property is required but it does not affect the rule behavior.

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. When searchType is esqlQuery, this property is required and must be set to zero.

Minimum value of each is 0, maximum value of each is 0.

thresholdComparator string Required

The comparison function for the threshold. When searchType is esqlQuery, this property is required and must be set to ">". Since the threshold value must be 0, the result is that an alert occurs whenever the query returns results.

Value is >.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchConfiguration object

The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.

Hide searchConfiguration attributes Show searchConfiguration attributes object

filter array[object]

A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

Hide filter attributes Show filter attributes object

meta object

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

$state object

index string | array[string]

The indices to query.

One of:
string-1 string array-2 array[string]

query object

Hide query attributes Show query attributes object

language string

query string

searchType string Required

The type of query, in this case a text-based query that uses KQL or Lucene.

Value is searchSource.

size integer Required

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when rule_type_id is .index-threshold.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

filterKuery string

A KQL expression thats limits the scope of alerts.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] Required

The indices to query.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

metric string

Values are count, cpu, diskLatency, load, memory, memoryTotal, tx, rx, logRate, diskIOReadBytes, diskIOWriteBytes, s3TotalRequests, s3NumberOfObjects, s3BucketSize, s3DownloadBytes, s3UploadBytes, rdsConnections, rdsQueriesExecuted, rdsActiveTransactions, rdsLatency, sqsMessagesVisible, sqsMessagesDelayed, sqsMessagesSent, sqsMessagesEmpty, sqsOldestMessage, or custom.

timeSize number

timeUnit string

Values are s, m, h, or d.

sourceId string

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

customMetric object

Hide customMetric attributes Show customMetric attributes object

type string

Value is custom.

field string

aggregation string

Values are avg, max, min, or rate.

id string

label string

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

filterQuery string

filterQueryText string

nodeType string

Values are host, pod, container, awsEC2, awsS3, awsSQS, or awsRDS.

sourceId string

alertOnNoData boolean
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[array]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[object]

One of:
non count criterion object count criterion object custom criterion object

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

metric string

aggType string

Values are avg, max, min, cardinality, rate, count, sum, p95, p99, or custom.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is count.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is custom.

customMetric array[object]

One of:
object-1 object object-2 object

Hide attributes Show attributes

name string

aggType string

Values are avg, sum, max, min, or cardinality.

field string

equation string

label string

groupBy string | array[string]

One of:
string-1 string array-2 array[string]

filterQuery string

sourceId string

alertOnNoData boolean

alertOnGroupDisappear boolean
Hide attributes Show attributes

sloId string

The SLO identifier used by the rule

burnRateThreshold number

The burn rate threshold used to trigger the alert

maxBurnRateThreshold number

The maximum burn rate threshold value defined by the SLO error budget

longWindow object

The duration of the long window used to compute the burn rate

Hide longWindow attributes Show longWindow attributes object

value number

The duration value

unit string

The duration unit

shortWindow object

The duration of the short window used to compute the burn rate

Hide shortWindow attributes Show shortWindow attributes object

value number

The duration value

unit string

The duration unit
Hide attributes Show attributes

search string

certExpirationThreshold number

certAgeThreshold number
Hide attributes Show attributes

availability object

Hide availability attributes Show availability attributes object

range number

rangeUnit string

threshold string

filters string | object

One of:
string-1 string object-2 object Deprecated

locations array[string] Deprecated

numTimes number Required

search string

shouldCheckStatus boolean Required

shouldCheckAvailability boolean Required

timerangeCount number

timerangeUnit string

timerange object Deprecated

Hide timerange attributes Show timerange attributes object Deprecated

from string

to string

version number

isAutoGenerated boolean

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
409

Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'

Request examples

Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}

Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.

{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}

Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.

{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}

Response examples (200)

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).

{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).

{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}

The response for successfully creating an index threshold rule.

{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}

The response for successfully creating a tracking containment rule.

{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Delete a rule

DELETE /api/alerting/rule/{id}

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}

curl \
 --request DELETE 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Disable a rule

POST /api/alerting/rule/{id}/_disable

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

application/json

Body

untrack boolean

Defines whether this rule's alerts should be untracked.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_disable' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'

Enable a rule

POST /api/alerting/rule/{id}/_enable

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_enable

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_enable' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_unmute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Update the API key for a rule

POST /api/alerting/rule/{id}/_update_api_key

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.
409

Indicates that the rule has already been updated by another user.

POST /api/alerting/rule/{id}/_update_api_key

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_update_api_key' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

rule_id string Required

The identifier for the rule.
alert_id string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

rule_id string Required

The identifier for the rule.
alert_id string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get information about rules

GET /api/alerting/rules/_find

Api key auth Basic auth

Query parameters

per_page number

The number of rules to return per page.

Minimum value is 0. Default value is 10.
page number

The page number to return.

Minimum value is 1. Default value is 1.
search string

An Elasticsearch simple_query_string query that filters the objects in the response.
default_search_operator string

The default operator to use for the simple_query_string.

Values are OR or AND. Default value is OR.
search_fields array[string] | string

The fields to perform the simple_query_string parsed query against.
sort_field string

Determines which field is used to sort the results. The field must exist in the attributes key of the response.
sort_order string

Determines the sort order.

Values are asc or desc.
has_reference object | null

Filters the rules that have a relation with the reference objects with a specific type and identifier.

Additional properties are NOT allowed.
Hide has_reference attributes Show has_reference attributes object | null
- id string Required
- type string Required
fields array[string]

The fields to return in the attributes key of the response.
filter string

A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
filter_consumers array[string]

List of consumers to filter.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.

GET /api/alerting/rules/_find

curl \
 --request GET 'https://localhost:5601/api/alerting/rules/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

A response that contains information about an index threshold rule.

{
  "data": [
    {
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "name": "my alert",
      "tags": [
        "cpu"
      ],
      "params": {
        "index": [
          "test-index"
        ],
        "aggType": "avg",
        "groupBy": "top",
        "aggField": "sheet.version",
        "termSize": 6,
        "termField": "name.keyword",
        "threshold": [
          1000
        ],
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m",
        "thresholdComparator": ">"
      },
      "actions": [
        {
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "threshold met",
          "params": {
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
            "connector_type_id": ".server-log"
          },
          "frequency": {
            "summary": false,
            "throttle": null,
            "notify_when": "onActionGroupChange"
          }
        }
      ],
      "enabled": true,
      "consumer": "alerts",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": null,
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        }
      },
      "mute_all": false,
      "next_run": "2022-12-06T01:45:23.912Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic",
      "rule_type_id": ".index-threshold",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

A response that contains information about a security rule that has conditional actions.

{
  "data": [
    {
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "name": "security_rule",
      "tags": [],
      "params": {
        "to": "now",
        "from": "now-3660s",
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "type": "threshold",
        "index": [
          "kibana_sample_data_logs"
        ],
        "query": "*",
        "author": [],
        "ruleId": "an_internal_rule_id",
        "threat": [],
        "filters": [],
        "license": "",
        "version": 1,
        "language": "kuery",
        "severity": "low",
        "immutable": false,
        "riskScore": 21,
        "threshold": {
          "field": [
            "bytes"
          ],
          "value": 1,
          "cardinality": []
        },
        "maxSignals": 100,
        "references": [],
        "description": "A security threshold rule.",
        "outputIndex": "",
        "exceptionsList": [],
        "falsePositives": [],
        "severityMapping": [],
        "riskScoreMapping": []
      },
      "actions": [
        {
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "default",
          "params": {
            "documents": [
              {
                "rule_id": {
                  "[object Object]": null
                },
                "alert_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                }
              }
            ]
          },
          "frequency": {
            "summary": true,
            "throttle": null,
            "notify_when": "onActiveAlert"
          },
          "alerts_filter": {
            "query": {
              "kql": "",
              "filters": [
                {
                  "meta": {
                    "key": "client.geo.region_iso_code",
                    "alias": null,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "negate": false,
                    "params": {
                      "type": "phrase",
                      "query": "CA-QC"
                    },
                    "disabled": false
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  },
                  "$state": {
                    "store": "appState"
                  }
                }
              ]
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index"
        }
      ],
      "enabled": true,
      "running": false,
      "consumer": "siem",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        },
        "outcome_order": 0
      },
      "mute_all": false,
      "next_run": "2023-05-16T20:27:49.507Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic",
      "notify_when": null,
      "rule_type_id": "siem.thresholdRule",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

Update an alert Deprecated

PUT /api/alerts/alert/{alertId}

Api key auth Basic auth

Deprecated in 7.13.0. Use the update rule API instead.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

The identifier for the alert.

application/json

Body Required

actions array[object]
Hide actions attributes Show actions attributes object
- actionTypeId string Required
  
  The identifier for the action type.
- group string Required
  
  Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to default.
- id string Required
  
  The ID of the action saved object.
- params object Required
  
  The map to the params that the action type will receive. params are handled as Mustache templates and passed a default set of context.
name string Required

A name to reference and search.
notifyWhen string Required

The condition for throttling the notification.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
params object Required

The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.
schedule object Required

The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
Hide schedule attribute Show schedule attribute object
- interval string
  
  The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run.
tags array[string]

A list of keywords to reference and search.
throttle string

How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object]
- alertTypeId string
- apiKeyOwner string | null
- createdAt string(date-time)
  
  The date and time that the alert was created.
- createdBy string
  
  The identifier for the user that created the alert.
- enabled boolean
  
  Indicates whether the alert is currently enabled.
- executionStatus object
  
  Hide executionStatus attributes Show executionStatus attributes object
  
  lastExecutionDate string(date-time)
  
  status string
- id string
  
  The identifier for the alert.
- muteAll boolean
- mutedInstanceIds array[string] | null
- name string
  
  The name of the alert.
- notifyWhen string
- params object
  
  Additional properties are allowed.
- schedule object
  
  Hide schedule attribute Show schedule attribute object
  
  interval string
- scheduledTaskId string
- tags array[string]
- throttle string | null
- updatedAt string
- updatedBy string | null
  
  The identifier for the user that updated this alert most recently.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

PUT /api/alerts/alert/{alertId}

curl \
 --request PUT 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"actions":[{"actionTypeId":"string","group":"string","id":"string","params":{}}],"name":"string","notifyWhen":"onActionGroupChange","params":{},"schedule":{"interval":"1d"},"tags":["string"],"throttle":"string"}'

Create an alert Deprecated

POST /api/alerts/alert/{alertId}

Api key auth Basic auth

Deprecated in 7.13.0. Use the create rule API instead.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

An UUID v1 or v4 identifier for the alert. If this parameter is omitted, the identifier is randomly generated.

application/json

Body Required

actions array[object]
Hide actions attributes Show actions attributes object
- actionTypeId string Required
  
  The identifier for the action type.
- group string Required
  
  Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to default.
- id string Required
  
  The ID of the action saved object.
- params object Required
  
  The map to the params that the action type will receive. params are handled as Mustache templates and passed a default set of context.
alertTypeId string Required

The ID of the alert type that you want to call when the alert is scheduled to run.
consumer string Required

The name of the application that owns the alert. This name has to match the Kibana feature name, as that dictates the required role-based access control privileges.
enabled boolean

Indicates if you want to run the alert on an interval basis after it is created.
name string Required

A name to reference and search.
notifyWhen string Required

The condition for throttling the notification.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
params object Required

The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.
schedule object Required

The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
Hide schedule attribute Show schedule attribute object
- interval string
  
  The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run.
tags array[string]

A list of keywords to reference and search.
throttle string

How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object]
- alertTypeId string
- apiKeyOwner string | null
- createdAt string(date-time)
  
  The date and time that the alert was created.
- createdBy string
  
  The identifier for the user that created the alert.
- enabled boolean
  
  Indicates whether the alert is currently enabled.
- executionStatus object
  
  Hide executionStatus attributes Show executionStatus attributes object
  
  lastExecutionDate string(date-time)
  
  status string
- id string
  
  The identifier for the alert.
- muteAll boolean
- mutedInstanceIds array[string] | null
- name string
  
  The name of the alert.
- notifyWhen string
- params object
  
  Additional properties are allowed.
- schedule object
  
  Hide schedule attribute Show schedule attribute object
  
  interval string
- scheduledTaskId string
- tags array[string]
- throttle string | null
- updatedAt string
- updatedBy string | null
  
  The identifier for the user that updated this alert most recently.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

POST /api/alerts/alert/{alertId}

curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"actions":[{"actionTypeId":"string","group":"string","id":"string","params":{}}],"alertTypeId":"string","consumer":"string","enabled":true,"name":"string","notifyWhen":"onActionGroupChange","params":{},"schedule":{"interval":"10s"},"tags":["string"],"throttle":"string"}'

Delete an alert Deprecated

DELETE /api/alerts/alert/{alertId}

Api key auth Basic auth

Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After you delete an alert, you cannot recover it.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

DELETE /api/alerts/alert/{alertId}

curl \
 --request DELETE 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Enable an alert Deprecated

POST /api/alerts/alert/{alertId}/_enable

Api key auth Basic auth

Deprecated in 7.13.0. Use the enable rule API instead.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

POST /api/alerts/alert/{alertId}/_enable

curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_enable' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Mute all alert instances Deprecated

POST /api/alerts/alert/{alertId}/_mute_all

Api key auth Basic auth

Deprecated in 7.13.0. Use the mute all alerts API instead.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

POST /api/alerts/alert/{alertId}/_mute_all

curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Unmute all alert instances Deprecated

POST /api/alerts/alert/{alertId}/_unmute_all

Api key auth Basic auth

Deprecated in 7.13.0. Use the unmute all alerts API instead.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

POST /api/alerts/alert/{alertId}/_unmute_all

curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_unmute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Mute an alert instance Deprecated

POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute

Api key auth Basic auth

Deprecated in 7.13.0. Use the mute alert API instead.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

An identifier for the alert.
alertInstanceId string Required

An identifier for the alert instance.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute

curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Unmute an alert instance Deprecated

POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute

Api key auth Basic auth

Deprecated in 7.13.0. Use the unmute alert API instead.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

alertId string Required

An identifier for the alert.
alertInstanceId string Required

An identifier for the alert instance.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute

curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Get a paginated set of alerts Deprecated

GET /api/alerts/alerts/_find

Api key auth Basic auth

Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert params are stored as a flattened field type and analyzed as keywords. As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.

Query parameters

default_search_operator string

The default operator to use for the simple_query_string.

Default value is OR.
fields array[string]

The fields to return in the attributes key of the response.
filter string

A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
has_reference object

Filters the rules that have a relation with the reference objects with a specific type and identifier.
Hide has_reference attributes Show has_reference attributes object
- id string
- type string
page integer

The page number to return.

Default value is 1.
per_page integer

The number of alerts to return per page.

Default value is 20.
search string

An Elasticsearch simple_query_string query that filters the alerts in the response.
search_fields string | array[string]

The fields to perform the simple_query_string parsed query against.
sort_field string

Determines which field is used to sort the results. The field must exist in the attributes key of the response.
sort_order string

Determines the sort order.

Values are asc or desc. Default value is desc.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- data array[object]
  
  Hide data attributes Show data attributes object
  
  actions array[object]
  
  alertTypeId string
  
  apiKeyOwner string | null
  
  createdAt string(date-time)
  
  The date and time that the alert was created.
  
  createdBy string
  
  The identifier for the user that created the alert.
  
  enabled boolean
  
  Indicates whether the alert is currently enabled.
  
  executionStatus object
  
  Hide executionStatus attributes Show executionStatus attributes object
  
  lastExecutionDate string(date-time)
  
  status string
  
  id string
  
  The identifier for the alert.
  
  muteAll boolean
  
  mutedInstanceIds array[string] | null
  
  name string
  
  The name of the alert.
  
  notifyWhen string
  
  params object
  
  Additional properties are allowed.
  
  schedule object
  
  Hide schedule attribute Show schedule attribute object
  
  interval string
  
  scheduledTaskId string
  
  tags array[string]
  
  throttle string | null
  
  updatedAt string
  
  updatedBy string | null
  
  The identifier for the user that updated this alert most recently.
- page integer
- perPage integer
- total integer
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerts/alerts/_find

curl \
 --request GET 'https://localhost:5601/api/alerts/alerts/_find' \
 --header "Authorization: $API_KEY"

Get the alert types Deprecated

GET /api/alerts/alerts/list_alert_types

Api key auth Basic auth

Deprecated in 7.13.0. Use the get rule types API instead.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actionGroups array[object]
  
  An explicit list of groups for which the alert type can schedule actions, each with the action group's unique ID and human readable name. Alert actions validation uses this configuration to ensure that groups are valid.
  
  Hide actionGroups attributes Show actionGroups attributes object
  
  id string
  
  name string
- actionVariables object
  
  A list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors.
  
  Hide actionVariables attributes Show actionVariables attributes object
  
  context array[object]
  
  Hide context attributes Show context attributes object
  
  description string
  
  name string
  
  params array[object]
  
  Hide params attributes Show params attributes object
  
  description string
  
  name string
  
  state array[object]
  
  Hide state attributes Show state attributes object
  
  description string
  
  name string
- authorizedConsumers object
  
  The list of the plugins IDs that have access to the alert type.
- defaultActionGroupId string
  
  The default identifier for the alert type group.
- enabledInLicense boolean
  
  Indicates whether the rule type is enabled based on the subscription.
- id string
  
  The unique identifier for the alert type.
- isExportable boolean
  
  Indicates whether the alert type is exportable in Saved Objects Management UI.
- minimumLicenseRequired string
  
  The subscriptions required to use the alert type.
- name string
  
  The descriptive name of the alert type.
- producer string
  
  An identifier for the application that produces this alert type.
- recoveryActionGroup object
  
  An action group to use when an alert instance goes from an active state to an inactive one. If it is not specified, the default recovered action group is used.
  
  Hide recoveryActionGroup attributes Show recoveryActionGroup attributes object
  
  id string
  
  name string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerts/alerts/list_alert_types

curl \
 --request GET 'https://localhost:5601/api/alerts/alerts/list_alert_types' \
 --header "Authorization: $API_KEY"

Get a list of agent configurations

GET /api/apm/settings/agent-configuration

Api key auth Basic auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- configurations array[object]
  
  Agent configuration
  
  Agent configuration
  
  Hide configurations attributes Show configurations attributes object
  
  @timestamp number Required
  
  Timestamp
  
  agent_name string
  
  Agent name
  
  applied_by_agent boolean
  
  Applied by agent
  
  etag string Required
  
  Etag
  
  service object Required
  
  Service
  
  Hide service attributes Show service attributes object
  
  environment string
  
  Environment
  
  name string
  
  Name
  
  settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration

curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Delete agent configuration

DELETE /api/apm/settings/agent-configuration

Api key auth Basic auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

environment string

Environment
name string

Name

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- result string
  
  Result
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

DELETE /api/apm/settings/agent-configuration

curl \
 --request DELETE 'https://localhost:5601/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"environment":"prod","name":"node"}'

Get environments for service

GET /api/apm/settings/agent-configuration/environments

Api key auth Basic auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

serviceName string

The name of the service

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- environments array[object]
  
  Service environment list
  
  Hide environments attributes Show environments attributes object
  
  alreadyConfigured boolean
  
  Already configured
  
  name string
  
  Service environment name
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/environments

curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration/environments' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Lookup single agent configuration

POST /api/apm/settings/agent-configuration/search

Api key auth Basic auth

This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

etag string

If etags match then applied_by_agent field will be set to true
mark_as_applied_by_agent boolean

markAsAppliedByAgent=true means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags
service object Required

Service
Hide service attributes Show service attributes object
- environment string
  
  Environment
- name string
  
  Name

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _id string
  
  Identifier
- _index string
  
  Index
- _score number
  
  Score
- _source object
  
  Agent configuration
  
  Hide _source attributes Show _source attributes object
  
  @timestamp number Required
  
  Timestamp
  
  agent_name string
  
  Agent name
  
  applied_by_agent boolean
  
  Applied by agent
  
  etag string Required
  
  Etag
  
  service object Required
  
  Service
  
  Hide service attributes Show service attributes object
  
  environment string
  
  Environment
  
  name string
  
  Name
  
  settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/settings/agent-configuration/search

curl \
 --request POST 'https://localhost:5601/api/apm/settings/agent-configuration/search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'

Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Api key auth Basic auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

name string

Service name
environment string

Service environment

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- id string Required
- @timestamp number Required
  
  Timestamp
- agent_name string
  
  Agent name
- applied_by_agent boolean
  
  Applied by agent
- etag string Required
  
  Etag
- service object Required
  
  Service
  
  Hide service attributes Show service attributes object
  
  environment string
  
  Environment
  
  name string
  
  Name
- settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/view

curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration/view' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Create an APM agent key

POST /api/apm/agent_keys

Api key auth Basic auth

Create a new agent key for APM.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

name string Required

Agent name
privileges array[string] Required

Privileges configuration

Values are event:write or config_agent:read.

Responses

200 application/json

Agent key created successfully
Hide response attribute Show response attribute object
- agentKey object
  
  Agent key
  
  Hide agentKey attributes Show agentKey attributes object
  
  api_key string Required
  
  encoded string Required
  
  expiration integer(int64)
  
  id string Required
  
  name string Required
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/agent_keys

curl \
 --request POST 'https://localhost:5601/api/apm/agent_keys' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"name":"string","privileges":["event:write"]}'

Create a service annotation

POST /api/apm/services/{serviceName}/annotation

Api key auth Basic auth

Create a new annotation for a specific service.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

serviceName string Required

The name of the service

application/json

Body Required

@timestamp string Required

Timestamp
message string

Message
service object Required

Service
Hide service attributes Show service attributes object
- environment string
- version string Required
tags array[string]

Tags

Responses

200 application/json

Annotation created successfully
Hide response attributes Show response attributes object
- _id string
  
  Identifier
- _index string
  
  Index
- _source object
  
  Response
  
  Hide _source attributes Show _source attributes object
  
  @timestamp string
  
  annotation object
  
  Hide annotation attributes Show annotation attributes object
  
  title string
  
  type string
  
  event object
  
  Hide event attribute Show event attribute object
  
  created string
  
  message string
  
  service object
  
  Hide service attributes Show service attributes object
  
  environment string
  
  name string
  
  version string
  
  tags array[string]
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/services/{serviceName}/annotation

curl \
 --request POST 'https://localhost:5601/api/apm/services/{serviceName}/annotation' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'

Search for annotations

GET /api/apm/services/{serviceName}/annotation/search

Api key auth Basic auth

Search for annotations related to a specific service.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Path parameters

serviceName string Required

The name of the service

Query parameters

environment string

The environment to filter annotations by
start string

The start date for the search
end string

The end date for the search

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- annotations array[object]
  
  Annotations
  
  Hide annotations attributes Show annotations attributes object
  
  @timestamp number
  
  id string
  
  text string
  
  type string
  
  Value is version.
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/services/{serviceName}/annotation/search

curl \
 --request GET 'https://localhost:5601/api/apm/services/{serviceName}/annotation/search' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Save APM server schema

POST /api/apm/fleet/apm_server_schema

Api key auth Basic auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

schema object

Schema object

Additional properties are allowed.

Responses

200 application/json

Successful response

Additional properties are NOT allowed.
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/fleet/apm_server_schema

curl \
 --request POST 'https://localhost:5601/api/apm/fleet/apm_server_schema' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"schema":{"foo":"bar"}}'

Get source maps

GET /api/apm/sourcemaps

Api key auth Basic auth

Returns an array of Fleet artifacts, including source map uploads.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

page number

Page number
perPage number

Number of records per page

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- artifacts array[object]
  
  Artifacts
  
  Hide artifacts attributes Show artifacts attributes object
  
  body object
  
  Hide body attributes Show body attributes object
  
  bundleFilepath string
  
  serviceName string
  
  serviceVersion string
  
  sourceMap object
  
  Hide sourceMap attributes Show sourceMap attributes object
  
  file string
  
  mappings string
  
  sourceRoot string
  
  sources array[string]
  
  sourcesContent array[string]
  
  version number
  
  compressionAlgorithm string
  
  Compression Algorithm
  
  created string
  
  Created date
  
  decodedSha256 string
  
  Decoded SHA-256
  
  decodedSize number
  
  Decoded size
  
  encodedSha256 string
  
  Encoded SHA-256
  
  encodedSize number
  
  Encoded size
  
  encryptionAlgorithm string
  
  Encryption Algorithm
  
  id string
  
  Identifier
  
  identifier string
  
  Identifier
  
  packageName string
  
  Package name
  
  relative_url string
  
  Relative URL
  
  type string
  
  Type
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/sourcemaps

curl \
 --request GET 'https://localhost:5601/api/apm/sourcemaps' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Upload source map

POST /api/apm/sourcemaps

Api key auth Basic auth

Upload a source map for a specific service and version.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

multipart/form-data

Body Required

bundle_filepath string Required

The absolute path of the final bundle as used in the web application.
service_name string Required

The name of the service that the service map should apply to.
service_version string Required

The version of the service that the service map should apply to.
sourcemap string(binary) Required

The source map. String or file upload. It must follow the source map revision 3 proposal.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- body string
- compressionAlgorithm string
  
  Compression Algorithm
- created string
  
  Created date
- decodedSha256 string
  
  Decoded SHA-256
- decodedSize number
  
  Decoded size
- encodedSha256 string
  
  Encoded SHA-256
- encodedSize number
  
  Encoded size
- encryptionAlgorithm string
  
  Encryption Algorithm
- id string
  
  Identifier
- identifier string
  
  Identifier
- packageName string
  
  Package name
- relative_url string
  
  Relative URL
- type string
  
  Type
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/sourcemaps

curl \
 --request POST 'https://localhost:5601/api/apm/sourcemaps' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --form "bundle_filepath=string" \
 --form "service_name=string" \
 --form "service_version=string" \
 --form "sourcemap=@file"

Delete source map

DELETE /api/apm/sourcemaps/{id}

Api key auth Basic auth

Delete a previously uploaded source map.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

Source map identifier

Responses

200 application/json

Successful response

Additional properties are NOT allowed.
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

DELETE /api/apm/sourcemaps/{id}

curl \
 --request DELETE 'https://localhost:5601/api/apm/sourcemaps/{id}' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"

Create a case

POST /api/cases

Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body Required

assignees array[object] | null

An array containing users that are assigned to the case.

Not more than 10 elements.
Hide assignees attribute Show assignees attribute object
- uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
category string

A word or phrase that categorizes the case.

Maximum length is 50.
connector object Required
One of:
Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
Defines properties for connectors when type is .none.
Hide attributes Show attributes

fields string | null Required

An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

id string Required

The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

name string Required

The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

type string Required

The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

Value is .none.
Defines properties for connectors when type is .cases-webhook.
Hide attributes Show attributes

fields string | null Required

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .cases-webhook.
Defines properties for connectors when type is .jira.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object

issueType string | null Required

The type of issue.

parent string | null Required

The key of the parent issue, when the issue type is sub-task.

priority string | null Required

The priority of the issue.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .jira.
Defines properties for connectors when type is .resilient.
Hide attributes Show attributes

fields object | null Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object | null

issueTypes array[string] Required

The type of incident.

severityCode string Required

The severity code of the incident.

id string Required

The identifier for the connector.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .resilient.
Defines properties for connectors when type is .servicenow.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object

category string | null Required

The category of the incident.

impact string | null Required

The effect an incident had on business.

severity string | null Required

The severity of the incident.

subcategory string | null Required

The subcategory of the incident.

urgency string | null Required

The extent to which the incident resolution can be delayed.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .servicenow.
Defines properties for connectors when type is .servicenow-sir.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object

category string | null Required

The category of the incident.

destIp boolean | null Required

Indicates whether cases will send a comma-separated list of destination IPs.

malwareHash boolean | null Required

Indicates whether cases will send a comma-separated list of malware hashes.

malwareUrl boolean | null Required

Indicates whether cases will send a comma-separated list of malware URLs.

priority string | null Required

The priority of the issue.

sourceIp boolean | null Required

Indicates whether cases will send a comma-separated list of source IPs.

subcategory string | null Required

The subcategory of the incident.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .servicenow-sir.
Defines properties for connectors when type is .swimlane.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attribute Show fields attribute object

caseId string | null Required

The case identifier for Swimlane connectors.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .swimlane.
customFields array[object]

Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.

At least 0 but not more than 10 elements.
Hide customFields attributes Show customFields attributes object
- key string Required
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
- type string Required
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
- value string | null | boolean Required
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
description string Required

The description for the case.

Maximum length is 30000.
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
settings object Required

An object that contains the case settings.
Hide settings attribute Show settings attribute object
- syncAlerts boolean Required
  
  Turns alert syncing on or off.
severity string

The severity of the case.

Values are critical, high, low, or medium. Default value is low.
tags array[string] Required

The words and phrases that help categorize cases. It can be an empty array.

Not more than 200 elements. Maximum length of each is 256.
title string Required

A title for the case.

Maximum length is 160.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases

curl \
 --request POST 'https://localhost:5601/api/cases' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'

Request example

{
  "tags": [
    "tag-1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "settings": {
    "syncAlerts": true
  },
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "description": "A case description.",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    }
  ]
}

Response examples (200)

{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "created_at": "2022-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 0,
  "external_service": null
}

Delete cases

DELETE /api/cases

Api key auth Basic auth

You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Query parameters

ids array[string] Required

The cases that you want to removed. All non-ASCII characters must be URL encoded.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

DELETE /api/cases

curl \
 --request DELETE 'https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Update cases

PATCH /api/cases

Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body

cases array[object] Required

An array containing one or more case objects.

At least 1 but not more than 100 elements.
Hide cases attributes Show cases attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
- connector object
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .swimlane.
- customFields array[object]
  
  Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
  
  At least 0 but not more than 10 elements.
  Hide customFields attributes Show customFields attributes object
  
  key string Required
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string Required
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean Required
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string
  
  The description for the case.
  
  Maximum length is 30000.
- id string Required
  
  The identifier for the case.
  
  Maximum length is 30000.
- settings object
  
  An object that contains the case settings.
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
- title string
  
  A title for the case.
  
  Maximum length is 160.
- version string Required
  
  The current version of the case. To determine this value, use the get case or find cases APIs.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

PATCH /api/cases

curl \
 --request PATCH 'https://localhost:5601/api/cases' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"cases":[{"id":"a18b38a0-71b0-11ea-a0b2-c51ea50a58e2","tags":["tag-1"],"version":"WzIzLDFd","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":null,"issueType":"10006"}},"description":"A case description.","customFields":[{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false},{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"}]}]}'

Request example

{
  "cases": [
    {
      "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "version": "WzIzLDFd",
      "settings": {
        "syncAlerts": true
      },
      "connector": {
        "id": "131d4448-abe0-4789-939d-8ef60680b498",
        "name": "My connector",
        "type": ".jira",
        "fields": {
          "parent": null,
          "priority": null,
          "issueType": "10006"
        }
      },
      "description": "A case description.",
      "customFields": [
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": false
        },
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My new field value"
        }
      ]
    }
  ]
}

Response examples (200)

[
  {
    "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
    "tags": [
      "tag-1"
    ],
    "owner": "cases",
    "title": "Case title 1",
    "status": "open",
    "version": "WzU0OCwxXQ==",
    "category": null,
    "comments": [],
    "duration": null,
    "settings": {
      "syncAlerts": true
    },
    "severity": "low",
    "assignees": [],
    "closed_at": null,
    "closed_by": null,
    "connector": {
      "id": "131d4448-abe0-4789-939d-8ef60680b498",
      "name": "My connector",
      "type": ".jira",
      "fields": {
        "parent": null,
        "priority": null,
        "issueType": "10006"
      }
    },
    "created_at": "2023-10-13T09:16:17.416Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "updated_at": "2023-10-13T09:48:33.043Z",
    "updated_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "description": "A case description.",
    "totalAlerts": 0,
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "value": "My new field value"
      },
      {
        "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
        "type": "toggle",
        "value": false
      }
    ],
    "totalComment": 0,
    "external_service": {
      "pushed_at": "2023-10-13T09:20:40.672Z",
      "pushed_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      },
      "external_id": "10003",
      "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
      "external_url": "https://hms.atlassian.net/browse/IS-4",
      "connector_name": "Jira",
      "external_title": "IS-4"
    }
  }
]

Search cases

GET /api/cases/_find

Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

assignees string | array[string]

Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.
category string | array[string]

Filters the returned cases by category.
defaultSearchOperator string

he default operator to use for the simple_query_string.

Default value is OR.
from string

Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
page integer

The page number to return.

Default value is 1.
perPage integer

The number of items to return. Limited to 100 items.

Maximum value is 100. Default value is 20.
reporters string | array[string]

Filters the returned cases by the user name of the reporter.
search string

An Elasticsearch simple_query_string query that filters the objects in the response.
searchFields string | array[string]

The fields to perform the simple_query_string parsed query against.
severity string

The severity of the case.

Values are critical, high, low, or medium.
sortField string

Determines which field is used to sort the results.

Values are createdAt, updatedAt, closedAt, title, category, status, or severity. Default value is createdAt.
sortOrder string

Determines the sort order.

Values are asc or desc. Default value is desc.
status string

Filters the returned cases by state.

Values are closed, in-progress, or open.
tags string | array[string]

Filters the returned cases by tags.
to string

Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- cases array[object]
  
  Not more than 10000 elements.
  
  Hide cases attributes Show cases attributes object
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  category string | null
  
  The case category.
  
  closed_at string(date-time) | null Required
  
  closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
  
  created_at string(date-time) Required
  
  created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
  
  description string Required
  
  duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
  
  external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
  
  id string Required
  
  owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
  
  tags array[string] Required
  
  title string Required
  
  totalAlerts integer Required
  
  totalComment integer Required
  
  updated_at string(date-time) | null Required
  
  updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string Required
- count_closed_cases integer
- count_in_progress_cases integer
- count_open_cases integer
- page integer
- per_page integer
- total integer
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/_find

curl \
 --request GET 'https://localhost:5601/api/cases/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "page": 1,
  "cases": [
    {
      "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "owner": "cases",
      "title": "Case title",
      "status": "open",
      "version": "WzExMCwxXQ==",
      "category": null,
      "comments": [],
      "duration": null,
      "settings": {
        "syncAlerts": true
      },
      "severity": "low",
      "assignees": [],
      "closed_at": null,
      "closed_by": null,
      "connector": {
        "id": "none",
        "name": "none",
        "type": ".none",
        "fields": null
      },
      "created_at": "2023-10-12T00:16:36.371Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-12T00:27:58.162Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "description": "Case description",
      "totalAlerts": 0,
      "customFields": [
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My field value"
        },
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": null
        }
      ],
      "totalComment": 1,
      "external_service": null
    }
  ],
  "total": 1,
  "per_page": 5,
  "count_open_cases": 1,
  "count_closed_cases": 0,
  "count_in_progress_cases": 0
}

Get case information

GET /api/cases/{caseId}

Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

includeComments boolean Deprecated

Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned.

Default value is true.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzM2LDFd",
  "category": null,
  "comments": [
    {
      "id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment",
      "version": "WzM3LDFd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-10-13T15:40:32.335Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [
    {
      "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    }
  ],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2023-10-13T15:40:32.335Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 1,
  "external_service": null
}

{
  "id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
  "tags": [
    "observability",
    "tag 1"
  ],
  "owner": "observability",
  "title": "Observability case title 1",
  "status": "in-progress",
  "version": "WzI0NywyXQ==",
  "category": null,
  "comments": [
    {
      "id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
      "rule": {
        "id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
        "name": "Observability rule"
      },
      "type": "alert",
      "index": [
        ".internal.alerts-observability.logs.alerts-default-000001"
      ],
      "owner": "observability",
      "alertId": [
        "a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
      ],
      "version": "WzY3LDJd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-11-06T19:29:38.424Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    },
    {
      "id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
      "type": "user",
      "owner": "observability",
      "comment": "The first comment.",
      "version": "WzcyLDJd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-11-06T19:29:57.812Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [
    {
      "uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }
  ],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-11-06T19:29:04.086Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2023-11-06T19:47:55.662Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "An Observability case description.",
  "totalAlerts": 1,
  "customFields": [],
  "totalComment": 1,
  "external_service": null
}

Get all case comments Deprecated

GET /api/cases/{caseId}/comments

Api key auth Basic auth

Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/comments

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
 --header "Authorization: $API_KEY"

Add a case comment or alert

POST /api/cases/{caseId}/comments

Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json

Body object Required

The add comment to case API request body varies depending on whether you are adding an alert or a comment.

Defines properties for case comment requests when type is alert.

alertId string | array[string] Required

The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
index string | array[string] Required

The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
rule object Required Technical preview

The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Hide rule attributes Show rule attributes object
- id string
  
  The rule identifier.
- name string
  
  The rule name.
type string Required Discriminator

The type of comment.

Value is alert.

Defines properties for case comment requests when type is user.

comment string Required

The new comment. It is required only when type is user.

Maximum length is 30000.
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
type string Required Discriminator

The type of comment.

Value is user.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases/{caseId}/comments

curl \
 --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"type":"user","owner":"cases","comment":"A new comment."}'

Request example

{
  "type": "user",
  "owner": "cases",
  "comment": "A new comment."
}

Response examples (200)

{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}

Delete all case comments and alerts

DELETE /api/cases/{caseId}/comments

Api key auth Basic auth

Deletes all comments and alerts from a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

DELETE /api/cases/{caseId}/comments

curl \
 --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Update a case comment or alert

PATCH /api/cases/{caseId}/comments

Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json

Body object Required

The update case comment API request body varies depending on whether you are updating an alert or a comment.

Defines properties for case comment requests when type is alert.

alertId string | array[string] Required

The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
id string Required

The identifier for the comment. To retrieve comment IDs, use the get comments API.
index string | array[string] Required

The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
rule object Required Technical preview

The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Hide rule attributes Show rule attributes object
- id string
  
  The rule identifier.
- name string
  
  The rule name.
type string Required Discriminator

The type of comment.

Value is alert.
version string Required

The current comment version. To retrieve version values, use the get comments API.

Defines properties for case comment requests when type is user.

comment string Required

The new comment. It is required only when type is user.

Maximum length is 30000.
id string Required

The identifier for the comment. To retrieve comment IDs, use the get comments API.
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
type string Required Discriminator

The type of comment.

Value is user.
version string Required

The current comment version. To retrieve version values, use the get comments API.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

PATCH /api/cases/{caseId}/comments

curl \
 --request PATCH 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"user","owner":"cases","comment":"An updated comment.","version":"Wzk1LDFd"}'

Request example

{
  "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
  "type": "user",
  "owner": "cases",
  "comment": "An updated comment.",
  "version": "Wzk1LDFd"
}

Response examples (200)

{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIwNjM2LDFd",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "An updated comment.",
      "version": "WzIwNjM3LDFd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-10-24T00:37:10.832Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-24T01:27:06.210Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-10-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2023-10-24T01:27:06.210Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My new field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": false
    }
  ],
  "totalComment": 1,
  "external_service": null
}

Find case comments and alerts

GET /api/cases/{caseId}/comments/_find

Api key auth Basic auth

Retrieves a paginated list of comments for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

page integer

The page number to return.

Default value is 1.
perPage integer

The number of items to return. Limited to 100 items.

Maximum value is 100. Default value is 20.
sortOrder string

Determines the sort order.

Values are asc or desc. Default value is desc.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/comments/_find

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/_find' \
 --header "Authorization: $API_KEY"

Get a case comment or alert

GET /api/cases/{caseId}/comments/{commentId}

Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
commentId string Required

The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

200 application/json

Indicates a successful call.
One of:
Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
Hide attributes Show attributes

alertId array[string]

created_at string(date-time)

created_by object

Hide created_by attributes Show created_by attributes object

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

id string

index array[string]

owner string

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.

pushed_at string(date-time) | null

pushed_by object | null

Hide pushed_by attributes Show pushed_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

rule object

Hide rule attributes Show rule attributes object

id string

The rule identifier.

name string

The rule name.

type string Required

Value is alert.

updated_at string(date-time) | null

updated_by object | null

Hide updated_by attributes Show updated_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

version string
Hide attributes Show attributes

comment string

created_at string(date-time)

created_by object

Hide created_by attributes Show created_by attributes object

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

id string

owner string

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.

pushed_at string(date-time) | null

pushed_by object | null

Hide pushed_by attributes Show pushed_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

type string Required

Value is user.

updated_at string(date-time) | null

updated_by object | null

Hide updated_by attributes Show updated_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

version string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/comments/{commentId}

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
  "type": "user",
  "owner": "cases",
  "comment": "A new comment",
  "version": "WzIzLDFd",
  "pushed_at": null,
  "pushed_by": null,
  "created_at": "2023-10-07T19:32:13.104Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null
}

Delete a case comment or alert

DELETE /api/cases/{caseId}/comments/{commentId}

Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
commentId string Required

The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

DELETE /api/cases/{caseId}/comments/{commentId}

curl \
 --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Push a case to an external service

POST /api/cases/{caseId}/connector/{connectorId}/_push

Api key auth Basic auth

You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
connectorId string Required

An identifier for the connector. To retrieve connector IDs, use the find connectors API.

application/json

Body

object | null

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases/{caseId}/connector/{connectorId}/_push

curl \
 --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/connector/abed3a70-71bd-11ea-a0b2-c51ea50a58e2/_push' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string"

Response examples (200)

{
  "id": "b917f300-0ed9-11ed-bd18-65557fe66949",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzE3NjgsM10=",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "Low",
      "issueType": "10006"
    }
  },
  "created_at": "2022-07-29T00:59:39.444Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2022-07-29T01:20:58.436Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "totalComment": 0,
  "external_service": {
    "pushed_at": "2022-07-29T01:20:58.436Z",
    "pushed_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "external_id": "71926",
    "connector_id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "external_url": "https://cases.jira.com",
    "connector_name": "My connector",
    "external_title": "ES-554"
  }
}

Attach a file to a case

POST /api/cases/{caseId}/files

Api key auth Basic auth

Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:

The Content-Type: multipart/form-data HTTP header.
The location of the file that is being uploaded.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

multipart/form-data

Body Required

file string(binary) Required

The file being attached to the case.
filename string

The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. This should not include the file extension.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases/{caseId}/files

curl \
 --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: string" \
 --form "file=@file" \
 --form "filename=string"

Response examples (200)

{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}

Get case activity Deprecated

GET /api/cases/{caseId}/user_actions

Api key auth Basic auth

Returns all user activity for a case. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- action string Required
  
  Values are add, create, delete, push_to_service, or update.
- action_id string Required
- case_id string Required
- comment_id string | null Required
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- payload object | null Required
  
  One of:
  Cases_payload_alert_comment object Cases_payload_assignees object Cases_payload_connector object Cases_payload_create_case object Cases_payload_delete object | null Cases_payload_description object Cases_payload_pushed object Cases_payload_settings object Cases_payload_severity object Cases_payload_status object Cases_payload_tags object Cases_payload_title object Cases_payload_user_comment object
  
  Hide attribute Show attribute
  
  comment object
  
  Hide comment attributes Show comment attributes object
  
  alertId string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  index string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string
  
  Value is alert.
  
  Hide attribute Show attribute
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  Hide attribute Show attribute
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  Hide attributes Show attributes
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  description string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  status string
  
  The status of the case.
  
  Values are closed, in-progress, or open.
  
  tags array[string]
  
  title string
  
  Hide attribute Show attribute
  
  externalService object | null
  
  Hide externalService attributes Show externalService attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
  
  Hide attribute Show attribute
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  Hide attribute Show attribute
  
  comment object
  
  Hide comment attributes Show comment attributes object
  
  comment string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  type string
  
  Value is user.
- type string Required
  
  The type of action.
  
  Values are assignees, create_case, comment, connector, delete_case, description, pushed, tags, title, status, settings, or severity.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/user_actions

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions' \
 --header "Authorization: $API_KEY"

Find case activity

GET /api/cases/{caseId}/user_actions/_find

Api key auth Basic auth

Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

page integer

The page number to return.

Default value is 1.
perPage integer

The number of items to return. Limited to 100 items.

Maximum value is 100. Default value is 20.
sortOrder string

Determines the sort order.

Values are asc or desc. Default value is desc.
types array[string]

Determines the types of user actions to return.

Values are action, alert, assignees, attachment, comment, connector, create_case, description, pushed, settings, severity, status, tags, title, or user.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- page integer
- perPage integer
- total integer
- userActions array[object]
  
  Not more than 10000 elements.
  
  Hide userActions attributes Show userActions attributes object
  
  action string Required
  
  Values are add, create, delete, push_to_service, or update.
  
  comment_id string | null Required
  
  created_at string(date-time) Required
  
  created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string Required
  
  owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  payload object | null Required
  
  One of:
  Cases_payload_alert_comment object Cases_payload_assignees object Cases_payload_connector object Cases_payload_create_case object Cases_payload_delete object | null Cases_payload_description object Cases_payload_pushed object Cases_payload_settings object Cases_payload_severity object Cases_payload_status object Cases_payload_tags object Cases_payload_title object Cases_payload_user_comment object
  
  Hide attribute Show attribute
  
  comment object
  
  Hide comment attributes Show comment attributes object
  
  alertId string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  index string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string
  
  Value is alert.
  
  Hide attribute Show attribute
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  Hide attribute Show attribute
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  Hide attributes Show attributes
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  description string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  status string
  
  The status of the case.
  
  Values are closed, in-progress, or open.
  
  tags array[string]
  
  title string
  
  Hide attribute Show attribute
  
  externalService object | null
  
  Hide externalService attributes Show externalService attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
  
  Hide attribute Show attribute
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  Hide attribute Show attribute
  
  comment object
  
  Hide comment attributes Show comment attributes object
  
  comment string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  type string
  
  Value is user.
  
  type string Required
  
  The type of action.
  
  Values are assignees, create_case, comment, connector, description, pushed, tags, title, status, settings, or severity.
  
  version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/user_actions/_find

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "page": 1,
  "total": 3,
  "perPage": 20,
  "userActions": [
    {
      "id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
      "type": "create_case",
      "owner": "cases",
      "action": "create",
      "payload": {
        "tags": [
          "tag 1"
        ],
        "owner": "cases",
        "title": "Case title 1",
        "status": "open",
        "category": null,
        "settings": {
          "syncAlerts": false
        },
        "severity": "low",
        "assignees": [],
        "connector": {
          "id": "none",
          "name": "none",
          "type": ".none",
          "fields": null
        },
        "description": "A case description.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "My field value"
          },
          {
            "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
            "type": "toggle",
            "value": null
          }
        ]
      },
      "version": "WzM1ODg4LDFd",
      "comment_id": null,
      "created_at": "2023-10-20T01:17:22.150Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "57af14a0-03b1-11ed-920c-974bfa104448",
      "type": "comment",
      "owner": "cases",
      "action": "create",
      "payload": {
        "type": "user",
        "owner": "cases",
        "comment": "A new comment"
      },
      "version": "WzM1ODg4LDFa",
      "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
      "created_at": "2023-10-14T20:12:53.354Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "573c6980-6123-11ed-aa41-81a0a61fe447",
      "type": "assignees",
      "owner": "cases",
      "action": "add",
      "payload": {
        "assignees": {
          "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
        }
      },
      "version": "WzM1ODg4LDFb",
      "comment_id": null,
      "created_at": "2023-10-20T01:10:28.238Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ]
}

Get cases for an alert Technical preview

GET /api/cases/alerts/{alertId}

Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

alertId string Required

An identifier for the alert.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- id string
  
  The case identifier.
- title string
  
  The case title.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/alerts/{alertId}

curl \
 --request GET 'https://localhost:5601/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
    "title": "security_case"
  }
]

Get case settings

GET /api/cases/configure

Api key auth Basic auth

Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- closure_type string
  
  Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).
  
  Values are close-by-pushing or close-by-user.
- connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
- created_at string(date-time)
- created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom fields configuration details.
  
  Hide customFields attributes Show customFields attributes object
  
  defaultValue string | boolean
  
  A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  key string
  
  A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
  
  Minimum length is 1, maximum length is 36.
  
  label string
  
  The custom field label that is displayed in the case.
  
  Minimum length is 1, maximum length is 50.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  required boolean
  
  Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.
- error string | null
- id string
- mappings array[object]
  
  Hide mappings attributes Show mappings attributes object
  
  action_type string
  
  source string
  
  target string
- owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- templates array[object] Technical preview
  
  Hide templates attributes Show templates attributes object
  
  caseFields object
  
  Hide caseFields attributes Show caseFields attributes object
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  customFields array[object] Technical preview
  
  Custom field values in the template.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique key for the custom field.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  value string | boolean
  
  The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  description string
  
  The description for the case.
  
  Maximum length is 30000.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
  
  title string
  
  A title for the case.
  
  Maximum length is 160.
  
  description string
  
  A description for the template.
  
  key string
  
  A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.
  
  name string
  
  The name of the template.
  
  tags array[string]
  
  The words and phrases that help categorize templates. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
- updated_at string(date-time) | null
- updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/configure

curl \
 --request GET 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "856ee650-6c82-11ee-a20a-6164169afa58",
    "error": null,
    "owner": "cases",
    "version": "WzEyLDNd",
    "mappings": [],
    "connector": {
      "id": "none",
      "name": "none",
      "type": ".none",
      "fields": null
    },
    "templates": [
      {
        "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
        "name": "template-1",
        "tags": [
          "Template tag 1"
        ],
        "caseFields": {
          "tags": [
            "Default case tag"
          ],
          "title": "Default case title",
          "category": "Default-category",
          "settings": {
            "syncAlerts": false
          },
          "assignees": [
            {
              "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
            }
          ],
          "connector": {
            "id": "none",
            "name": "none",
            "type": ".none",
            "fields": null
          },
          "description": "A default description for cases.",
          "customFields": [
            {
              "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
              "type": "text",
              "value": "Default text field value."
            }
          ]
        },
        "description": "A description of the template."
      }
    ],
    "created_at": "2024-07-01T17:07:17.767Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "updated_at": null,
    "updated_by": null,
    "closure_type": "close-by-user",
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "label": "my-text-field",
        "required": false,
        "defaultValue": "Custom text field value."
      }
    ]
  }
]

Add case settings

POST /api/cases/configure

Api key auth Basic auth

Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body

closure_type string Required

Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

Values are close-by-pushing or close-by-user.
connector object Required

An object that contains the connector configuration.
Hide connector attributes Show connector attributes object
- fields object | null Required
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
- id string Required
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
- name string Required
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
- type string Required
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
customFields array[object]

Custom fields case configuration.

At least 0 but not more than 10 elements.
Hide customFields attributes Show customFields attributes object
- defaultValue string | boolean
  
  A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
- key string Required
  
  A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
  
  Minimum length is 1, maximum length is 36.
- label string Required
  
  The custom field label that is displayed in the case.
  
  Minimum length is 1, maximum length is 50.
- type string Required
  
  The type of the custom field.
  
  Values are text or toggle.
- required boolean Required
  
  Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
templates array[object] Technical preview
Hide templates attributes Show templates attributes object
- caseFields object
  Hide caseFields attributes Show caseFields attributes object
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  customFields array[object] Technical preview
  
  Custom field values in the template.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique key for the custom field.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  value string | boolean
  
  The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  description string
  
  The description for the case.
  
  Maximum length is 30000.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
  
  title string
  
  A title for the case.
  
  Maximum length is 160.
- description string
  
  A description for the template.
- key string
  
  A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.
- name string
  
  The name of the template.
- tags array[string]
  
  The words and phrases that help categorize templates. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- closure_type string
  
  Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).
  
  Values are close-by-pushing or close-by-user.
- connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
- created_at string(date-time)
- created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom fields configuration details.
  
  Hide customFields attributes Show customFields attributes object
  
  defaultValue string | boolean
  
  A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  key string
  
  A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
  
  Minimum length is 1, maximum length is 36.
  
  label string
  
  The custom field label that is displayed in the case.
  
  Minimum length is 1, maximum length is 50.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  required boolean
  
  Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.
- error string | null
- id string
- mappings array[object]
  
  Hide mappings attributes Show mappings attributes object
  
  action_type string
  
  source string
  
  target string
- owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- templates array[object] Technical preview
  
  Hide templates attributes Show templates attributes object
  
  caseFields object
  
  Hide caseFields attributes Show caseFields attributes object
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  customFields array[object] Technical preview
  
  Custom field values in the template.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique key for the custom field.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  value string | boolean
  
  The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  description string
  
  The description for the case.
  
  Maximum length is 30000.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
  
  title string
  
  A title for the case.
  
  Maximum length is 160.
  
  description string
  
  A description for the template.
  
  key string
  
  A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.
  
  name string
  
  The name of the template.
  
  tags array[string]
  
  The words and phrases that help categorize templates. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
- updated_at string(date-time) | null
- updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases/configure

curl \
 --request POST 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'

Request example

{
  "owner": "cases",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}

Response examples (200)

{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzIwNzMsMV0=",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": "null,",
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}

Update case settings

PATCH /api/cases/configure/{configurationId}

Api key auth Basic auth

Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the case was created.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

configurationId string Required

An identifier for the configuration.

application/json

Body

closure_type string

Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

Values are close-by-pushing or close-by-user.
connector object

An object that contains the connector configuration.
Hide connector attributes Show connector attributes object
- fields object | null Required
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
- id string Required
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
- name string Required
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
- type string Required
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
customFields array[object]

Custom fields case configuration.
Hide customFields attributes Show customFields attributes object
- defaultValue string | boolean
  
  A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
- key string Required
  
  A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
  
  Minimum length is 1, maximum length is 36.
- label string Required
  
  The custom field label that is displayed in the case.
  
  Minimum length is 1, maximum length is 50.
- type string Required
  
  The type of the custom field.
  
  Values are text or toggle.
- required boolean Required
  
  Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.
templates array[object] Technical preview
Hide templates attributes Show templates attributes object
- caseFields object
  Hide caseFields attributes Show caseFields attributes object
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  customFields array[object] Technical preview
  
  Custom field values in the template.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique key for the custom field.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  value string | boolean
  
  The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  description string
  
  The description for the case.
  
  Maximum length is 30000.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
  
  title string
  
  A title for the case.
  
  Maximum length is 160.
- description string
  
  A description for the template.
- key string
  
  A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.
- name string
  
  The name of the template.
- tags array[string]
  
  The words and phrases that help categorize templates. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
version string Required

The version of the connector. To retrieve the version value, use the get configuration API.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- closure_type string
  
  Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).
  
  Values are close-by-pushing or close-by-user.
- connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
- created_at string(date-time)
- created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom fields configuration details.
  
  Hide customFields attributes Show customFields attributes object
  
  defaultValue string | boolean
  
  A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  key string
  
  A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
  
  Minimum length is 1, maximum length is 36.
  
  label string
  
  The custom field label that is displayed in the case.
  
  Minimum length is 1, maximum length is 50.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  required boolean
  
  Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.
- error string | null
- id string
- mappings array[object]
  
  Hide mappings attributes Show mappings attributes object
  
  action_type string
  
  source string
  
  target string
- owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- templates array[object] Technical preview
  
  Hide templates attributes Show templates attributes object
  
  caseFields object
  
  Hide caseFields attributes Show caseFields attributes object
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  customFields array[object] Technical preview
  
  Custom field values in the template.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique key for the custom field.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  value string | boolean
  
  The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  description string
  
  The description for the case.
  
  Maximum length is 30000.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
  
  title string
  
  A title for the case.
  
  Maximum length is 160.
  
  description string
  
  A description for the template.
  
  key string
  
  A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.
  
  name string
  
  The name of the template.
  
  tags array[string]
  
  The words and phrases that help categorize templates. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
- updated_at string(date-time) | null
- updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

PATCH /api/cases/configure/{configurationId}

curl \
 --request PATCH 'https://localhost:5601/api/cases/configure/3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"version":"WzExOSw0XQ==","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":true,"defaultValue":"A new default value."},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","label":"my-toggle","required":false}]}'

Request example

{
  "version": "WzExOSw0XQ==",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}

Response examples (200)

{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzI2LDNd",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2024-07-19T00:52:42.401Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}

Get case connectors

GET /api/cases/configure/connectors/_find

Api key auth Basic auth

Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actionTypeId string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
- config object
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  apiUrl string
  
  projectKey string
- id string
- isDeprecated boolean
- isMissingSecrets boolean
- isPreconfigured boolean
- name string
- referencedByCount integer
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/configure/connectors/_find

curl \
 --request GET 'https://localhost:5601/api/cases/configure/connectors/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "my-Jira",
    "config": {
      "apiUrl": "https://elastic.atlassian.net/",
      "projectKey": "ES"
    },
    "actionTypeId": ".jira",
    "isDeprecated": false,
    "isPreconfigured": false,
    "isMissingSecrets": false,
    "referencedByCount": 0
  }
]

Get case creators

GET /api/cases/reporters

Api key auth Basic auth

Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- email string | null Required
- full_name string | null Required
- profile_uid string
- username string | null Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/reporters

curl \
 --request GET 'https://localhost:5601/api/cases/reporters' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  {
    "email": "jdoe@example.com",
    "username": "jdoe",
    "full_name": "Jane Doe",
    "profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }
]

Get case status summary Deprecated

GET /api/cases/status

Api key auth Basic auth

Returns the number of cases that are open, closed, and in progress. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- count_closed_cases integer
- count_in_progress_cases integer
- count_open_cases integer
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/status

curl \
 --request GET 'https://localhost:5601/api/cases/status' \
 --header "Authorization: $API_KEY"

Get case tags

GET /api/cases/tags

Api key auth Basic auth

Aggregates and returns a list of case tags. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.

Not more than 10000 elements.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/tags

curl \
 --request GET 'https://localhost:5601/api/cases/tags' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  "observability",
  "security",
  "tag 1",
  "tag 2"
]

Get all connectors Deprecated

GET /api/actions

Api key auth Basic auth

GET /api/actions

curl \
 --request GET 'https://localhost:5601/api/actions' \
 --header "Authorization: $API_KEY"

Update a connector Deprecated

PUT /api/actions/action/{id}

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

application/json

Body

config object

Default value is {} (empty). Additional properties are allowed.
name string Required
secrets object

Default value is {} (empty). Additional properties are allowed.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

PUT /api/actions/action/{id}

curl \
 --request PUT 'https://localhost:5601/api/actions/action/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"config":{},"name":"string","secrets":{}}'

Delete a connector Deprecated

DELETE /api/actions/action/{id}

Api key auth Basic auth

WARNING: When you delete a connector, it cannot be recovered.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

Responses

204

Indicates a successful call.

DELETE /api/actions/action/{id}

curl \
 --request DELETE 'https://localhost:5601/api/actions/action/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Run a connector Deprecated

POST /api/actions/action/{id}/_execute

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

application/json

Body

params object Required

Additional properties are allowed.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

POST /api/actions/action/{id}/_execute

curl \
 --request POST 'https://localhost:5601/api/actions/action/{id}/_execute' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"params":{}}'

Get connector types

GET /api/actions/connector_types

Api key auth Basic auth

You do not need any Kibana feature privileges to run this API.

Query parameters

feature_id string

A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).

Responses

200 application/json

Indicates a successful call.

GET /api/actions/connector_types

curl \
 --request GET 'https://localhost:5601/api/actions/connector_types' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": ".gen-ai",
    "name": "OpenAI",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".bedrock",
    "name": "AWS Bedrock",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".gemini",
    "name": "Google Gemini",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity"
    ],
    "minimum_license_required": "enterprise"
  }
]

Get connector information

GET /api/actions/connector/{id}

Api key auth Basic auth

Path parameters

id string Required

An identifier for the connector.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

GET /api/actions/connector/{id}

curl \
 --request GET 'https://localhost:5601/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Update a connector

PUT /api/actions/connector/{id}

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

application/json

Body

name string Required

The display name for the connector.
config object

The connector configuration details.
One of:
bedrock_config object crowdstrike_config object d3security_config object email_config object gemini_config object resilient_config object index_config object jira_config object defender_config object genai_azure_config object genai_openai_config object opsgenie_config object pagerduty_config object sentinelone_config object servicenow_config object servicenow_itom_config object slack_api_config object swimlane_config object thehive_config object tines_config object torq_config object webhook_config object cases_webhook_config object xmatters_config object
Defines properties for connectors when type is .bedrock.
Hide attributes Show attributes

apiUrl string Required

The Amazon Bedrock request URL.

defaultModel string

The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.
Defines config properties for connectors when type is .crowdstrike.
Hide attribute Show attribute

url string Required

The CrowdStrike tenant URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .d3security.
Hide attribute Show attribute

url string Required

The D3 Security API request URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .email.
Hide attributes Show attributes

clientId string | null

The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If service is exchange_server, this property is required.

from string Required

The from address for all emails sent by the connector. It must be specified in user@host-name format.

hasAuth boolean

Specifies whether a user and password are required inside the secrets configuration.

Default value is true.

host string

The host name of the service provider. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If service is other, this property must be defined.

oauthTokenUrl string | null

port integer

The port to connect to on the service provider. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If service is other, this property must be defined.

secure boolean

Specifies whether the connection to the service provider will use TLS. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored.

service string

The name of the email service.

Values are elastic_cloud, exchange_server, gmail, other, outlook365, or ses.

tenantId string | null

The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If service is exchange_server, this property is required.
Defines properties for connectors when type is .gemini.
Hide attributes Show attributes

apiUrl string Required

The Google Gemini request URL.

defaultModel string

The generative artificial intelligence model for Google Gemini to use.

Default value is gemini-1.5-pro-002.

gcpRegion string Required

The GCP region where the Vertex AI endpoint enabled.

gcpProjectID string Required

The Google ProjectID that has Vertex AI endpoint enabled.
Defines properties for connectors when type is .resilient.
Hide attributes Show attributes

apiUrl string Required

The IBM Resilient instance URL.

orgId string Required

The IBM Resilient organization ID.
Defines properties for connectors when type is .index.
Hide attributes Show attributes

executionTimeField string | null

A field that indicates when the document was indexed.

index string Required

The Elasticsearch index to be written to.

refresh boolean

The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.

Default value is false.
Defines properties for connectors when type is .jira.
Hide attributes Show attributes

apiUrl string Required

The Jira instance URL.

projectKey string Required

The Jira project key.
Defines properties for connectors when type is .microsoft_defender_endpoint.
Hide attributes Show attributes

apiUrl string Required

The URL of the Microsoft Defender for Endpoint API. If you are using the xpack.actions.allowedHosts setting, make sure the hostname is added to the allowed hosts.

clientId string

The application (client) identifier for your app in the Azure portal.

oAuthScope string

The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API.

oAuthServerUrl string

The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API.

tenantId string

The tenant identifier for your app in the Azure portal.
Defines properties for connectors when type is .gen-ai and the API provider is Azure OpenAI.
Hide attributes Show attributes

apiProvider string Required

The OpenAI API provider.

Value is Azure OpenAI.

apiUrl string Required

The OpenAI API endpoint.
Defines properties for connectors when type is .gen-ai and the API provider is OpenAI.
Hide attributes Show attributes

apiProvider string Required

The OpenAI API provider.

Value is OpenAI.

apiUrl string Required

The OpenAI API endpoint.

defaultModel string

The default model to use for requests.
Defines properties for connectors when type is .opsgenie.
Hide attribute Show attribute

apiUrl string Required

The Opsgenie URL. For example, https://api.opsgenie.com or https://api.eu.opsgenie.com. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .pagerduty.
Hide attribute Show attribute

apiUrl string | null

The PagerDuty event URL.
Defines properties for connectors when type is .sentinelone.
Hide attribute Show attribute

url string Required

The SentinelOne tenant URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .servicenow.
Hide attributes Show attributes

apiUrl string Required

The ServiceNow instance URL.

clientId string

The client ID assigned to your OAuth application. This property is required when isOAuth is true.

isOAuth boolean

The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).

Default value is false.

jwtKeyId string

The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when isOAuth is true.

userIdentifierValue string

The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is Email, the user identifier should be the user's email address. This property is required when isOAuth is true.

usesTableApi boolean

Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to false, the Elastic application should be installed in ServiceNow.

Default value is true.
Defines properties for connectors when type is .servicenow-itom.
Hide attributes Show attributes

apiUrl string Required

The ServiceNow instance URL.

clientId string

The client ID assigned to your OAuth application. This property is required when isOAuth is true.

isOAuth boolean

The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).

Default value is false.

jwtKeyId string

The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when isOAuth is true.

userIdentifierValue string

The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is Email, the user identifier should be the user's email address. This property is required when isOAuth is true.
Defines properties for connectors when type is .slack_api.
Hide attribute Show attribute

allowedChannels array[object]

A list of valid Slack channels.

Hide allowedChannels attributes Show allowedChannels attributes object

id string Required

The Slack channel ID.

Minimum length is 1.

name string Required

The Slack channel name.

Minimum length is 1.
Defines properties for connectors when type is .swimlane.
Hide attributes Show attributes

apiUrl string Required

The Swimlane instance URL.

appId string Required

The Swimlane application ID.

connectorType string Required

The type of connector. Valid values are all, alerts, and cases.

Values are all, alerts, or cases.

mappings object

The field mapping.

Hide mappings attributes Show mappings attributes object

alertIdConfig object

Mapping for the alert ID.

Hide alertIdConfig attributes Show alertIdConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

caseIdConfig object

Mapping for the case ID.

Hide caseIdConfig attributes Show caseIdConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

caseNameConfig object

Mapping for the case name.

Hide caseNameConfig attributes Show caseNameConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

commentsConfig object

Mapping for the case comments.

Hide commentsConfig attributes Show commentsConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

descriptionConfig object

Mapping for the case description.

Hide descriptionConfig attributes Show descriptionConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

ruleNameConfig object

Mapping for the name of the alert's rule.

Hide ruleNameConfig attributes Show ruleNameConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

severityConfig object

Mapping for the severity.

Hide severityConfig attributes Show severityConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.
Defines configuration properties for connectors when type is .thehive.
Hide attributes Show attributes

organisation string

The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key.

url string Required

The instance URL in TheHive. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .tines.
Hide attribute Show attribute

url string Required

The Tines tenant URL. If you are using the xpack.actions.allowedHosts setting, make sure this hostname is added to the allowed hosts.
Defines properties for connectors when type is .torq.
Hide attribute Show attribute

webhookIntegrationUrl string Required

The endpoint URL of the Elastic Security integration in Torq.
Defines properties for connectors when type is .webhook.
Hide attributes Show attributes

authType string | null

The type of authentication to use: basic, SSL, or none.

Values are webhook-authentication-basic or webhook-authentication-ssl.

ca string

A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.

certType string

If the authType is webhook-authentication-ssl, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.

Values are ssl-crt-key or ssl-pfx.

hasAuth boolean

If true, a username and password for login type authentication must be provided.

Default value is true.

headers object | null

A set of key-value pairs sent as headers with the request.

method string

The HTTP request method, either post or put.

Values are post or put. Default value is post.

url string

The request URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

verificationMode string

Controls the verification of certificates. Use full to validate that the certificate has an issue date within the not_before and not_after dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use certificate to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use none to skip certificate validation.

Values are certificate, full, or none. Default value is full.
Defines properties for connectors when type is .cases-webhook.
Hide attributes Show attributes

authType string | null

The type of authentication to use: basic, SSL, or none.

Values are webhook-authentication-basic or webhook-authentication-ssl.

ca string

A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.

certType string

If the authType is webhook-authentication-ssl, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.

Values are ssl-crt-key or ssl-pfx.

createCommentJson string

A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is case.comment. Due to Mustache template variables (the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

createCommentMethod string

The REST API HTTP request method to create a case comment in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is put.

createCommentUrl string

The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

createIncidentJson string Required

A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are case.title and case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.

createIncidentMethod string

The REST API HTTP request method to create a case in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is post.

createIncidentResponseKey string Required

The JSON key in the create external case response that contains the case ID.

createIncidentUrl string Required

The REST API URL to create a case in the third-party system. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

getIncidentResponseExternalTitleKey string Required

The JSON key in get external case response that contains the case title.

getIncidentUrl string Required

The REST API URL to get the case by ID from the third-party system. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

hasAuth boolean

If true, a username and password for login type authentication must be provided.

Default value is true.

headers string

A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.

updateIncidentJson string Required

The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are case.title and case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.

updateIncidentMethod string

The REST API HTTP request method to update the case in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is put.

updateIncidentUrl string Required

The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

verificationMode string

Controls the verification of certificates. Use full to validate that the certificate has an issue date within the not_before and not_after dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use certificate to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use none to skip certificate validation.

Values are certificate, full, or none. Default value is full.

viewIncidentUrl string Required

The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.
Defines properties for connectors when type is .xmatters.
Hide attributes Show attributes

configUrl string | null

The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when usesBasic is true.

usesBasic boolean

Specifies whether the connector uses HTTP basic authentication (true) or URL authentication (false).

Default value is true.
secrets object
One of:
bedrock_secrets object crowdstrike_secrets object d3security_secrets object email_secrets object gemini_secrets object resilient_secrets object jira_secrets object teams_secrets object genai_secrets object opsgenie_secrets object pagerduty_secrets object sentinelone_secrets object servicenow_secrets object slack_api_secrets object swimlane_secrets object thehive_secrets object tines_secrets object torq_secrets object webhook_secrets object cases_webhook_secrets object xmatters_secrets object
Defines secrets for connectors when type is .bedrock.
Hide attributes Show attributes

accessKey string Required

The AWS access key for authentication.

secret string Required

The AWS secret for authentication.
Defines secrets for connectors when type is .crowdstrike.
Hide attributes Show attributes

clientId string Required

The CrowdStrike API client identifier.

clientSecret string Required

The CrowdStrike API client secret to authenticate the clientId.
Defines secrets for connectors when type is .d3security.
Hide attribute Show attribute

token string Required

The D3 Security token.
Defines secrets for connectors when type is .email.
Hide attributes Show attributes

clientSecret string

The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If service is exchange_server, this property is required.

password string

The password for HTTP basic authentication. If hasAuth is set to true, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true, this property is required.
Defines secrets for connectors when type is .gemini.
Hide attribute Show attribute

credentialsJson string Required

The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it.
Defines secrets for connectors when type is .resilient.
Hide attributes Show attributes

apiKeyId string Required

The authentication key ID for HTTP Basic authentication.

apiKeySecret string Required

The authentication key secret for HTTP Basic authentication.
Defines secrets for connectors when type is .jira.
Hide attributes Show attributes

apiToken string Required

The Jira API authentication token for HTTP basic authentication.

email string Required

The account email for HTTP Basic authentication.
Defines secrets for connectors when type is .teams.
Hide attribute Show attribute

webhookUrl string Required

The URL of the incoming webhook. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines secrets for connectors when type is .gen-ai.
Hide attribute Show attribute

apiKey string

The OpenAI API key.
Defines secrets for connectors when type is .opsgenie.
Hide attribute Show attribute

apiKey string Required

The Opsgenie API authentication key for HTTP Basic authentication.
Defines secrets for connectors when type is .pagerduty.
Hide attribute Show attribute

routingKey string Required

A 32 character PagerDuty Integration Key for an integration on a service.
Defines secrets for connectors when type is .sentinelone.
Hide attribute Show attribute

token string Required

The A SentinelOne API token.
Defines secrets for connectors when type is .servicenow, .servicenow-sir, or .servicenow-itom.
Hide attributes Show attributes

clientSecret string

The client secret assigned to your OAuth application. This property is required when isOAuth is true.

password string

The password for HTTP basic authentication. This property is required when isOAuth is false.

privateKey string

The RSA private key that you created for use in ServiceNow. This property is required when isOAuth is true.

privateKeyPassword string

The password for the RSA private key. This property is required when isOAuth is true and you set a password on your private key.

username string

The username for HTTP basic authentication. This property is required when isOAuth is false.
Defines secrets for connectors when type is .slack.
Hide attribute Show attribute

token string Required

Slack bot user OAuth token.
Defines secrets for connectors when type is .swimlane.
Hide attribute Show attribute

apiToken string

Swimlane API authentication token.
Defines secrets for connectors when type is .thehive.
Hide attribute Show attribute

apiKey string Required

The API key for authentication in TheHive.
Defines secrets for connectors when type is .tines.
Hide attributes Show attributes

email string Required

The email used to sign in to Tines.

token string Required

The Tines API token.
Defines secrets for connectors when type is .torq.
Hide attribute Show attribute

token string Required

The secret of the webhook authentication header.
Defines secrets for connectors when type is .webhook.
Hide attributes Show attributes

crt string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the CRT or CERT file.

key string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the KEY file.

pfx string

If authType is webhook-authentication-ssl and certType is ssl-pfx, it is a base64 encoded version of the PFX or P12 file.

password string

The password for HTTP basic authentication or the passphrase for the SSL certificate files. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.
Hide attributes Show attributes

crt string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the CRT or CERT file.

key string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the KEY file.

pfx string

If authType is webhook-authentication-ssl and certType is ssl-pfx, it is a base64 encoded version of the PFX or P12 file.

password string

The password for HTTP basic authentication. If hasAuth is set to true and and authType is webhook-authentication-basic, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.
Defines secrets for connectors when type is .xmatters.
Hide attributes Show attributes

password string

A user name for HTTP basic authentication. It is applicable only when usesBasic is true.

secretsUrl string

The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when usesBasic is false.

user string

A password for HTTP basic authentication. It is applicable only when usesBasic is true.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

PUT /api/actions/connector/{id}

curl \
 --request PUT 'https://localhost:5601/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"updated-connector","config":{"index":"updated-index"}}'

Request example

{
  "name": "updated-connector",
  "config": {
    "index": "updated-index"
  }
}

Create a connector

POST /api/actions/connector/{id}

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

application/json

Body

connector_type_id string Required

The type of connector.
name string Required

The display name for the connector.
config object

The connector configuration details.
One of:
bedrock_config object crowdstrike_config object d3security_config object email_config object gemini_config object resilient_config object index_config object jira_config object genai_azure_config object genai_openai_config object opsgenie_config object pagerduty_config object sentinelone_config object servicenow_config object servicenow_itom_config object slack_api_config object swimlane_config object thehive_config object tines_config object torq_config object webhook_config object cases_webhook_config object xmatters_config object
Defines properties for connectors when type is .bedrock.
Hide attributes Show attributes

apiUrl string Required

The Amazon Bedrock request URL.

defaultModel string

The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.
Defines config properties for connectors when type is .crowdstrike.
Hide attribute Show attribute

url string Required

The CrowdStrike tenant URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .d3security.
Hide attribute Show attribute

url string Required

The D3 Security API request URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .email.
Hide attributes Show attributes

clientId string | null

The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If service is exchange_server, this property is required.

from string Required

The from address for all emails sent by the connector. It must be specified in user@host-name format.

hasAuth boolean

Specifies whether a user and password are required inside the secrets configuration.

Default value is true.

host string

The host name of the service provider. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If service is other, this property must be defined.

oauthTokenUrl string | null

port integer

The port to connect to on the service provider. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If service is other, this property must be defined.

secure boolean

Specifies whether the connection to the service provider will use TLS. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored.

service string

The name of the email service.

Values are elastic_cloud, exchange_server, gmail, other, outlook365, or ses.

tenantId string | null

The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If service is exchange_server, this property is required.
Defines properties for connectors when type is .gemini.
Hide attributes Show attributes

apiUrl string Required

The Google Gemini request URL.

defaultModel string

The generative artificial intelligence model for Google Gemini to use.

Default value is gemini-1.5-pro-002.

gcpRegion string Required

The GCP region where the Vertex AI endpoint enabled.

gcpProjectID string Required

The Google ProjectID that has Vertex AI endpoint enabled.
Defines properties for connectors when type is .resilient.
Hide attributes Show attributes

apiUrl string Required

The IBM Resilient instance URL.

orgId string Required

The IBM Resilient organization ID.
Defines properties for connectors when type is .index.
Hide attributes Show attributes

executionTimeField string | null

A field that indicates when the document was indexed.

index string Required

The Elasticsearch index to be written to.

refresh boolean

The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.

Default value is false.
Defines properties for connectors when type is .jira.
Hide attributes Show attributes

apiUrl string Required

The Jira instance URL.

projectKey string Required

The Jira project key.
Defines properties for connectors when type is .gen-ai and the API provider is Azure OpenAI.
Hide attributes Show attributes

apiProvider string Required

The OpenAI API provider.

Value is Azure OpenAI.

apiUrl string Required

The OpenAI API endpoint.
Defines properties for connectors when type is .gen-ai and the API provider is OpenAI.
Hide attributes Show attributes

apiProvider string Required

The OpenAI API provider.

Value is OpenAI.

apiUrl string Required

The OpenAI API endpoint.

defaultModel string

The default model to use for requests.
Defines properties for connectors when type is .opsgenie.
Hide attribute Show attribute

apiUrl string Required

The Opsgenie URL. For example, https://api.opsgenie.com or https://api.eu.opsgenie.com. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .pagerduty.
Hide attribute Show attribute

apiUrl string | null

The PagerDuty event URL.
Defines properties for connectors when type is .sentinelone.
Hide attribute Show attribute

url string Required

The SentinelOne tenant URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .servicenow.
Hide attributes Show attributes

apiUrl string Required

The ServiceNow instance URL.

clientId string

The client ID assigned to your OAuth application. This property is required when isOAuth is true.

isOAuth boolean

The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).

Default value is false.

jwtKeyId string

The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when isOAuth is true.

userIdentifierValue string

The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is Email, the user identifier should be the user's email address. This property is required when isOAuth is true.

usesTableApi boolean

Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to false, the Elastic application should be installed in ServiceNow.

Default value is true.
Defines properties for connectors when type is .servicenow-itom.
Hide attributes Show attributes

apiUrl string Required

The ServiceNow instance URL.

clientId string

The client ID assigned to your OAuth application. This property is required when isOAuth is true.

isOAuth boolean

The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).

Default value is false.

jwtKeyId string

The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when isOAuth is true.

userIdentifierValue string

The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is Email, the user identifier should be the user's email address. This property is required when isOAuth is true.
Defines properties for connectors when type is .slack_api.
Hide attribute Show attribute

allowedChannels array[object]

A list of valid Slack channels.

Hide allowedChannels attributes Show allowedChannels attributes object

id string Required

The Slack channel ID.

Minimum length is 1.

name string Required

The Slack channel name.

Minimum length is 1.
Defines properties for connectors when type is .swimlane.
Hide attributes Show attributes

apiUrl string Required

The Swimlane instance URL.

appId string Required

The Swimlane application ID.

connectorType string Required

The type of connector. Valid values are all, alerts, and cases.

Values are all, alerts, or cases.

mappings object

The field mapping.

Hide mappings attributes Show mappings attributes object

alertIdConfig object

Mapping for the alert ID.

Hide alertIdConfig attributes Show alertIdConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

caseIdConfig object

Mapping for the case ID.

Hide caseIdConfig attributes Show caseIdConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

caseNameConfig object

Mapping for the case name.

Hide caseNameConfig attributes Show caseNameConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

commentsConfig object

Mapping for the case comments.

Hide commentsConfig attributes Show commentsConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

descriptionConfig object

Mapping for the case description.

Hide descriptionConfig attributes Show descriptionConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

ruleNameConfig object

Mapping for the name of the alert's rule.

Hide ruleNameConfig attributes Show ruleNameConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

severityConfig object

Mapping for the severity.

Hide severityConfig attributes Show severityConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.
Defines configuration properties for connectors when type is .thehive.
Hide attributes Show attributes

organisation string

The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key.

url string Required

The instance URL in TheHive. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .tines.
Hide attribute Show attribute

url string Required

The Tines tenant URL. If you are using the xpack.actions.allowedHosts setting, make sure this hostname is added to the allowed hosts.
Defines properties for connectors when type is .torq.
Hide attribute Show attribute

webhookIntegrationUrl string Required

The endpoint URL of the Elastic Security integration in Torq.
Defines properties for connectors when type is .webhook.
Hide attributes Show attributes

authType string | null

The type of authentication to use: basic, SSL, or none.

Values are webhook-authentication-basic or webhook-authentication-ssl.

ca string

A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.

certType string

If the authType is webhook-authentication-ssl, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.

Values are ssl-crt-key or ssl-pfx.

hasAuth boolean

If true, a username and password for login type authentication must be provided.

Default value is true.

headers object | null

A set of key-value pairs sent as headers with the request.

method string

The HTTP request method, either post or put.

Values are post or put. Default value is post.

url string

The request URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

verificationMode string

Controls the verification of certificates. Use full to validate that the certificate has an issue date within the not_before and not_after dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use certificate to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use none to skip certificate validation.

Values are certificate, full, or none. Default value is full.
Defines properties for connectors when type is .cases-webhook.
Hide attributes Show attributes

authType string | null

The type of authentication to use: basic, SSL, or none.

Values are webhook-authentication-basic or webhook-authentication-ssl.

ca string

A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.

certType string

If the authType is webhook-authentication-ssl, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.

Values are ssl-crt-key or ssl-pfx.

createCommentJson string

A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is case.comment. Due to Mustache template variables (the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

createCommentMethod string

The REST API HTTP request method to create a case comment in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is put.

createCommentUrl string

The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

createIncidentJson string Required

A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are case.title and case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.

createIncidentMethod string

The REST API HTTP request method to create a case in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is post.

createIncidentResponseKey string Required

The JSON key in the create external case response that contains the case ID.

createIncidentUrl string Required

The REST API URL to create a case in the third-party system. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

getIncidentResponseExternalTitleKey string Required

The JSON key in get external case response that contains the case title.

getIncidentUrl string Required

The REST API URL to get the case by ID from the third-party system. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

hasAuth boolean

If true, a username and password for login type authentication must be provided.

Default value is true.

headers string

A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.

updateIncidentJson string Required

The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are case.title and case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.

updateIncidentMethod string

The REST API HTTP request method to update the case in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is put.

updateIncidentUrl string Required

The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

verificationMode string

Controls the verification of certificates. Use full to validate that the certificate has an issue date within the not_before and not_after dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use certificate to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use none to skip certificate validation.

Values are certificate, full, or none. Default value is full.

viewIncidentUrl string Required

The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.
Defines properties for connectors when type is .xmatters.
Hide attributes Show attributes

configUrl string | null

The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when usesBasic is true.

usesBasic boolean

Specifies whether the connector uses HTTP basic authentication (true) or URL authentication (false).

Default value is true.
secrets object
One of:
bedrock_secrets object crowdstrike_secrets object d3security_secrets object email_secrets object gemini_secrets object resilient_secrets object jira_secrets object defender_secrets object teams_secrets object genai_secrets object opsgenie_secrets object pagerduty_secrets object sentinelone_secrets object servicenow_secrets object slack_api_secrets object swimlane_secrets object thehive_secrets object tines_secrets object torq_secrets object webhook_secrets object cases_webhook_secrets object xmatters_secrets object
Defines secrets for connectors when type is .bedrock.
Hide attributes Show attributes

accessKey string Required

The AWS access key for authentication.

secret string Required

The AWS secret for authentication.
Defines secrets for connectors when type is .crowdstrike.
Hide attributes Show attributes

clientId string Required

The CrowdStrike API client identifier.

clientSecret string Required

The CrowdStrike API client secret to authenticate the clientId.
Defines secrets for connectors when type is .d3security.
Hide attribute Show attribute

token string Required

The D3 Security token.
Defines secrets for connectors when type is .email.
Hide attributes Show attributes

clientSecret string

The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If service is exchange_server, this property is required.

password string

The password for HTTP basic authentication. If hasAuth is set to true, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true, this property is required.
Defines secrets for connectors when type is .gemini.
Hide attribute Show attribute

credentialsJson string Required

The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it.
Defines secrets for connectors when type is .resilient.
Hide attributes Show attributes

apiKeyId string Required

The authentication key ID for HTTP Basic authentication.

apiKeySecret string Required

The authentication key secret for HTTP Basic authentication.
Defines secrets for connectors when type is .jira.
Hide attributes Show attributes

apiToken string Required

The Jira API authentication token for HTTP basic authentication.

email string Required

The account email for HTTP Basic authentication.
Defines secrets for connectors when type is ..microsoft_defender_endpoint.
Hide attribute Show attribute

clientSecret string Required

The client secret for your app in the Azure portal.
Defines secrets for connectors when type is .teams.
Hide attribute Show attribute

webhookUrl string Required

The URL of the incoming webhook. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines secrets for connectors when type is .gen-ai.
Hide attribute Show attribute

apiKey string

The OpenAI API key.
Defines secrets for connectors when type is .opsgenie.
Hide attribute Show attribute

apiKey string Required

The Opsgenie API authentication key for HTTP Basic authentication.
Defines secrets for connectors when type is .pagerduty.
Hide attribute Show attribute

routingKey string Required

A 32 character PagerDuty Integration Key for an integration on a service.
Defines secrets for connectors when type is .sentinelone.
Hide attribute Show attribute

token string Required

The A SentinelOne API token.
Defines secrets for connectors when type is .servicenow, .servicenow-sir, or .servicenow-itom.
Hide attributes Show attributes

clientSecret string

The client secret assigned to your OAuth application. This property is required when isOAuth is true.

password string

The password for HTTP basic authentication. This property is required when isOAuth is false.

privateKey string

The RSA private key that you created for use in ServiceNow. This property is required when isOAuth is true.

privateKeyPassword string

The password for the RSA private key. This property is required when isOAuth is true and you set a password on your private key.

username string

The username for HTTP basic authentication. This property is required when isOAuth is false.
Defines secrets for connectors when type is .slack.
Hide attribute Show attribute

token string Required

Slack bot user OAuth token.
Defines secrets for connectors when type is .swimlane.
Hide attribute Show attribute

apiToken string

Swimlane API authentication token.
Defines secrets for connectors when type is .thehive.
Hide attribute Show attribute

apiKey string Required

The API key for authentication in TheHive.
Defines secrets for connectors when type is .tines.
Hide attributes Show attributes

email string Required

The email used to sign in to Tines.

token string Required

The Tines API token.
Defines secrets for connectors when type is .torq.
Hide attribute Show attribute

token string Required

The secret of the webhook authentication header.
Defines secrets for connectors when type is .webhook.
Hide attributes Show attributes

crt string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the CRT or CERT file.

key string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the KEY file.

pfx string

If authType is webhook-authentication-ssl and certType is ssl-pfx, it is a base64 encoded version of the PFX or P12 file.

password string

The password for HTTP basic authentication or the passphrase for the SSL certificate files. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.
Hide attributes Show attributes

crt string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the CRT or CERT file.

key string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the KEY file.

pfx string

If authType is webhook-authentication-ssl and certType is ssl-pfx, it is a base64 encoded version of the PFX or P12 file.

password string

The password for HTTP basic authentication. If hasAuth is set to true and and authType is webhook-authentication-basic, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.
Defines secrets for connectors when type is .xmatters.
Hide attributes Show attributes

password string

A user name for HTTP basic authentication. It is applicable only when usesBasic is true.

secretsUrl string

The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when usesBasic is false.

user string

A password for HTTP basic authentication. It is applicable only when usesBasic is true.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

POST /api/actions/connector/{id}

curl \
 --request POST 'https://localhost:5601/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"email-connector-1","config":{"from":"tester@example.com","host":"https://example.com","port":1025,"secure":false,"hasAuth":true,"service":"other"},"secrets":{"user":"username","password":"password"},"connector_type_id":".email"}'

Request examples

{
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other"
  },
  "secrets": {
    "user": "username",
    "password": "password"
  },
  "connector_type_id": ".email"
}

{
  "name": "my-connector",
  "config": {
    "index": "test-index"
  },
  "connector_type_id": ".index"
}

{
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key"
  },
  "secrets": {
    "crt": "QmFnIEF0dH...",
    "key": "LS0tLS1CRUdJ...",
    "password": "my-passphrase"
  },
  "connector_type_id": ".webhook"
}

{
  "name": "my-xmatters-connector",
  "config": {
    "usesBasic": false
  },
  "secrets": {
    "secretsUrl": "https://example.com?apiKey=xxxxx"
  },
  "connector_type_id": ".xmatters"
}

Response examples (200)

{
  "id": "90a82c60-478f-11ee-a343-f98a117c727f",
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other",
    "clientId": null,
    "tenantId": null,
    "oauthTokenUrl": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".email",
  "is_missing_secrets": false
}

{
  "id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
  "name": "my-connector",
  "config": {
    "index": "test-index",
    "refresh": false,
    "executionTimeField": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".index",
  "is_missing_secrets": false
}

{
  "id": "900eb010-3b9d-11ee-a642-8ffbb94e38bd",
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "hasAuth": true,
    "headers": null,
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key",
    "verificationMode": "full"
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".webhook",
  "is_missing_secrets": false
}

{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Delete a connector

DELETE /api/actions/connector/{id}

Api key auth Basic auth

WARNING: When you delete a connector, it cannot be recovered.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

Responses

204

Indicates a successful call.

DELETE /api/actions/connector/{id}

curl \
 --request DELETE 'https://localhost:5601/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get all connectors

GET /api/actions/connectors

Api key auth Basic auth

Responses

200 application/json

Indicates a successful call.

GET /api/actions/connectors

curl \
 --request GET 'https://localhost:5601/api/actions/connectors' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "preconfigured-email-connector",
    "name": "my-preconfigured-email-notification",
    "is_deprecated": false,
    "is_preconfigured": true,
    "is_system_action": false,
    "connector_type_id": ".email",
    "referenced_by_count": 0
  },
  {
    "id": "e07d0c80-8b8b-11ed-a780-3b746c987a81",
    "name": "my-index-connector",
    "config": {
      "index": "test-index",
      "refresh": false,
      "executionTimeField": null
    },
    "is_deprecated": false,
    "is_preconfigured": false,
    "is_system_action": false,
    "connector_type_id": ".index",
    "is_missing_secrets": false,
    "referenced_by_count": 2
  }
]

Get connector types Deprecated

GET /api/actions/list_action_types

Api key auth Basic auth

GET /api/actions/list_action_types

curl \
 --request GET 'https://localhost:5601/api/actions/list_action_types' \
 --header "Authorization: $API_KEY"

Update an existing dashboard Technical Preview

PUT /api/dashboards/dashboard/{id}

Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

A unique identifier for the dashboard.

application/json

Body

attributes object Required

Additional properties are NOT allowed.
Hide attributes attributes Show attributes attributes object
- controlGroupInput object
  
  Additional properties are NOT allowed.
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
- description string
  
  A short description.
  
  Default value is empty.
- kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  A filter for the search source.
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
- options object Required
  
  Additional properties are NOT allowed.
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
- panels array[object]
  
  Default value is [] (empty).
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string
  
  The unique identifier of the panel
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string
  
  The unique ID of the panel.
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
- refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
- timeFrom string
  
  An ISO string indicating when to restore time from
- timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
- timeTo string
  
  An ISO string indicating when to restore time from
- title string Required
  
  A human-readable title for the dashboard
- version number Deprecated
references array[object]
Hide references attributes Show references attributes object
- id string Required
- name string Required
- type string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  controlGroupInput object
  
  Additional properties are NOT allowed.
  
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
  
  description string
  
  A short description.
  
  Default value is empty.
  
  kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  A filter for the search source.
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
  
  options object Required
  
  Additional properties are NOT allowed.
  
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
  
  panels array[object]
  
  Default value is [] (empty).
  
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string Required
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string Required
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
  
  refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
  
  timeFrom string
  
  An ISO string indicating when to restore time from
  
  timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
  
  timeTo string
  
  An ISO string indicating when to restore time from
  
  title string Required
  
  A human-readable title for the dashboard
  
  version number Deprecated
  
  createdAt string
  
  createdBy string
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  error string Required
  
  message string Required
  
  metadata object
  
  Additional properties are allowed.
  
  statusCode number Required
  
  id string Required
  
  managed boolean
  
  namespaces array[string]
  
  originId string
  
  references array[object] Required
  
  Hide references attributes Show references attributes object
  
  id string Required
  
  name string Required
  
  type string Required
  
  type string Required
  
  updatedAt string
  
  updatedBy string
  
  version string

PUT /api/dashboards/dashboard/{id}

curl \
 --request PUT 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}]}'

Delete a dashboard Technical Preview

DELETE /api/dashboards/dashboard/{id}

Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

A unique identifier for the dashboard.

DELETE /api/dashboards/dashboard/{id}

curl \
 --request DELETE 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Kibana APIs 1.0.2

params object

Update an alert Deprecated

Body Required

Create an alert Deprecated

Body Required

Delete an alert Deprecated

Enable an alert Deprecated

Mute all alert instances Deprecated

Unmute all alert instances Deprecated

Mute an alert instance Deprecated

Unmute an alert instance Deprecated

Get a paginated set of alerts Deprecated

Get the alert types Deprecated

Body Required

Body Required

Body Required

Body Required

Body Required

Body Required

Kibana APIs
1.0.2