Get rule types APIedit

Retrieve a list of rule types that the user is authorized to access.

For the most up-to-date API details, refer to the open API specification.


GET <kibana host>:<port>/api/alerting/rule_types

GET <kibana host>:<port>/s/<space_id>/api/alerting/rule_types


If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

For more details, refer to Feature privileges.


Each rule type includes a list of authorized consumer features. For each feature, users are authorized to perform either read or all operations on rules of that type. This enables you to determine which rule types you can read, create, or modify. If you want to create or edit a rule in Kibana, some rule types are limited to specific features and apps.

Path parametersedit

(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Response bodyedit

Each rule type has the following properties in the API response:

(array of objects) An explicit list of groups for which the rule type can schedule actions, each with the action group’s unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.
(object) A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.
(object) Details about alerts as data documents for this rule type, including any custom mappings.
(object) The list of the plugins IDs that have access to the rule type.
(string) The rule category, which is used by features such as category-specific maintenance windows.
(string) The default ID for the rule type group.
(boolean) Indicates whether the rule passes context variables to its recovery action.
(boolean) Indicates whether the rule type is enabled or disabled based on the subscription.
(boolean) Indicates whether the rule type has custom mappings for the alert data.
(string) The unique identifier for the rule type.
(boolean) Indicates whether the rule type is exportable in Stack Management > Saved Objects.
(string) The subscriptions required to use the rule type.
(string) The descriptive name of the rule type.
(string) An identifier for the application that produces this rule type.
(object) An action group to use when an alert goes from an active state to an inactive one.

Response codesedit

Indicates a successful call.


GET api/alerting/rule_types

For example, if you have read privileges for the Observability Logs app, the API returns the following:

      "name":"Log threshold",
      "category": "observability",
      "alerts": {
        "context": "observability.logs",
        "mappings": {
          "fieldMap": {
            "kibana.alert.evaluation.threshold": {
              "type": "scaled_float",
              "scaling_factor": 100,
              "required": false
            "kibana.alert.evaluation.value": {
              "type": "scaled_float",
              "scaling_factor": 100,
              "required": false
        "useEcs": true,
        "useLegacyAlerts": true
               "description":"UTC timestamp of when the alert was triggered"
               "description":"The number of log entries that matched the conditions provided"
               "description":"The conditions that log entries needed to fulfill"
      "has_alerts_mappings": true,
      "has_fields_for_a_a_d": true