Authentication

The API accepts 2 different authentication methods:

Api key auth (http_api_key)

These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey

Basic auth (http)

Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password (separated by a : colon).

Example: send a Authorization: Basic aGVsbG86aGVsbG8= HTTP header with your requests to authenticate with the API.

Enable a rule

POST /api/alerting/rule/{id}/_enable
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_enable 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_enable' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Update the API key for a rule

POST /api/alerting/rule/{id}/_update_api_key
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

  • 409

    Indicates that the rule has already been updated by another user.

POST /api/alerting/rule/{id}/_update_api_key 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_update_api_key' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get a list of agent configurations

GET /api/apm/settings/agent-configuration
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Agent configuration

      Hide configurations attributes Show configurations attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration 
curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

APM agent keys

Configure APM agent keys to authorize requests from APM agents to the APM Server.

APM sourcemaps

Configure APM source maps.

Get all alerts for a case Technical preview

GET /api/cases/{caseId}/alerts
Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/alerts 
curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/alerts' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "id": "f6a7d0c3-d52d-432c-b2e6-447cd7fce04d",
    "index": ".alerts-observability.logs.alerts-default",
    "attached_at": "2022-07-25T20:09:40.963Z"
  }
]

Add case settings

POST /api/cases/configure
Api key auth Basic auth

Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body

  • closure_type string Required

    Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • connector object Required

    An object that contains the connector configuration.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object

    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      One of:
      string-1 string boolean-2 boolean
    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • caseFields object
      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • connector object
        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

          One of:
          string-1 string boolean-2 boolean
      • description string

        The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • description string

      A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • closure_type string

      Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • connector object
      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • created_by object
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object

      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        One of:
        string-1 string boolean-2 boolean
      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • caseFields object
        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • connector object
          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

            One of:
            string-1 string boolean-2 boolean
        • description string

          The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • description string

        A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null
      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/configure 
curl \
 --request POST 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'
Request example 
{
  "owner": "cases",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (200) 
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzIwNzMsMV0=",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": "null,",
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}

Update case settings

PATCH /api/cases/configure/{configurationId}
Api key auth Basic auth

Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the case was created.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

application/json

Body

  • closure_type string

    Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • connector object

    An object that contains the connector configuration.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    Hide customFields attributes Show customFields attributes object

    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      One of:
      string-1 string boolean-2 boolean
    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • caseFields object
      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • connector object
        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

          One of:
          string-1 string boolean-2 boolean
      • description string

        The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • description string

      A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

  • version string Required

    The version of the connector. To retrieve the version value, use the get configuration API.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • closure_type string

      Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • connector object
      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • created_by object
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object

      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        One of:
        string-1 string boolean-2 boolean
      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • caseFields object
        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • connector object
          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

            One of:
            string-1 string boolean-2 boolean
        • description string

          The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • description string

        A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null
      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
PATCH /api/cases/configure/{configurationId} 
curl \
 --request PATCH 'https://localhost:5601/api/cases/configure/3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"version":"WzExOSw0XQ==","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":true,"defaultValue":"A new default value."},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","label":"my-toggle","required":false}]}'
Request example 
{
  "version": "WzExOSw0XQ==",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}
Response examples (200) 
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzI2LDNd",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2024-07-19T00:52:42.401Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}

Get connector information Deprecated

GET /api/actions/action/{id}
Api key auth Basic auth

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • is_missing_secrets boolean

      Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.
GET /api/actions/action/{id} 
curl \
 --request GET 'https://localhost:5601/api/actions/action/{id}' \
 --header "Authorization: $API_KEY"

Delete a connector Deprecated

DELETE /api/actions/action/{id}
Api key auth Basic auth

WARNING: When you delete a connector, it cannot be recovered.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • 204

    Indicates a successful call.

DELETE /api/actions/action/{id} 
curl \
 --request DELETE 'https://localhost:5601/api/actions/action/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get all connectors

GET /api/actions/connectors
Api key auth Basic auth

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/actions/connectors 
curl \
 --request GET 'https://localhost:5601/api/actions/connectors' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "id": "preconfigured-email-connector",
    "name": "my-preconfigured-email-notification",
    "is_deprecated": false,
    "is_preconfigured": true,
    "is_system_action": false,
    "connector_type_id": ".email",
    "referenced_by_count": 0
  },
  {
    "id": "e07d0c80-8b8b-11ed-a780-3b746c987a81",
    "name": "my-index-connector",
    "config": {
      "index": "test-index",
      "refresh": false,
      "executionTimeField": null
    },
    "is_deprecated": false,
    "is_preconfigured": false,
    "is_system_action": false,
    "connector_type_id": ".index",
    "is_missing_secrets": false,
    "referenced_by_count": 2
  }
]

Get all data views

GET /api/data_views
Api key auth Basic auth

Responses

GET /api/data_views 
curl \
 --request GET 'https://localhost:5601/api/data_views' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data_view": [
    {
      "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
      "name": "Kibana Sample Data eCommerce",
      "title": "kibana_sample_data_ecommerce",
      "typeMeta": {},
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
      "name": "Kibana Sample Data Flights",
      "title": "kibana_sample_data_flights",
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "Kibana Sample Data Logs",
      "title": "kibana_sample_data_logs",
      "namespaces": [
        "default"
      ]
    }
  ]
}

Create a data view

POST /api/data_views/data_view
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • data_view object Required

    The data view object.

    Hide data_view attributes Show data_view attributes object
    • allowNoIndex boolean

      Allows the data view saved object to exist before the data is available.

    • fieldAttrs object
      Hide fieldAttrs attribute Show fieldAttrs attribute object
      • * object Additional properties

        A map of field attributes by field name.

        Hide * attributes Show * attributes object
    • fieldFormats object

      A map of field formats by field name.

    • fields object
    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • runtimeFieldMap object
      Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Hide * attributes Show * attributes object
        • script object Required
          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • timeFieldName string

      The timestamp field name, which you use for time-based data views.

    • title string Required

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

      • params object Required

        Properties for retrieving rollup fields.

    • version string
  • override boolean

    Override an existing data view if a data view with the provided title already exists.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data_view object
      Hide data_view attributes Show data_view attributes object
      • allowNoIndex boolean

        Allows the data view saved object to exist before the data is available.

      • fieldAttrs object
        Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Hide * attributes Show * attributes object
      • fieldFormats object

        A map of field formats by field name.

      • fields object
      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • runtimeFieldMap object
        Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Hide * attributes Show * attributes object
          • script object Required
            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • timeFieldName string

        The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

        • params object

          Properties for retrieving rollup fields.

      • version string
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'
Request example 
{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}

Get a Logstash pipeline Technical Preview

GET /api/logstash/pipeline/{id}
Api key auth Basic auth

Get information for a centrally-managed Logstash pipeline. To use this API, you must have either the logstash_admin built-in role or a customized Logstash reader role.

Secure your connection

Path parameters

  • id string Required

    An identifier for the pipeline.

Responses

  • 200 application/json

    Indicates a successful call
GET /api/logstash/pipeline/{id} 
curl \
 --request GET 'https://localhost:5601/api/logstash/pipeline/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "hello-world",
  "description": "Just a simple pipeline",
  "username": "elastic",
  "pipeline": "input { stdin {} } output { stdout {} }",
  "settings": {
    "queue.type": "persistent"
  }
}

Delete a Logstash pipeline Technical Preview

DELETE /api/logstash/pipeline/{id}
Api key auth Basic auth

Delete a centrally-managed Logstash pipeline. If your Elasticsearch cluster is protected with basic authentication, you must have either the logstash_admin built-in role or a customized Logstash writer role.

Secure your connection

Path parameters

  • id string Required

    An identifier for the pipeline.

Responses

  • 204

    Indicates a successful call

DELETE /api/logstash/pipeline/{id} 
curl \
 --request DELETE 'https://localhost:5601/api/logstash/pipeline/{id}' \
 --header "Authorization: $API_KEY"

Sync saved objects in the default space

GET /api/ml/saved_objects/sync
Api key auth Basic auth

Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have all privileges for the Machine Learning feature in the Analytics section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.

Query parameters

  • simulate boolean

    When true, simulates the synchronization by returning only the list of actions that would be performed.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • datafeedsAdded object

      If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.

      Hide datafeedsAdded attribute Show datafeedsAdded attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • datafeedsRemoved object

      If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.

      Hide datafeedsRemoved attribute Show datafeedsRemoved attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • savedObjectsCreated object

      If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.

      Hide savedObjectsCreated attributes Show savedObjectsCreated attributes object
      • anomaly-detector object

        If saved objects are missing for anomaly detection jobs, they are created.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • data-frame-analytics object

        If saved objects are missing for data frame analytics jobs, they are created.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • trained-model object

        If saved objects are missing for trained models, they are created.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

    • savedObjectsDeleted object

      If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.

      Hide savedObjectsDeleted attributes Show savedObjectsDeleted attributes object
      • anomaly-detector object

        If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • data-frame-analytics object

        If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • trained-model object

        If there are saved objects exist for nonexistent trained models, they are deleted.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/ml/saved_objects/sync 
curl \
 --request GET 'https://localhost:5601/api/ml/saved_objects/sync' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "datafeedsAdded": {},
  "datafeedsRemoved": {},
  "savedObjectsCreated": {
    "anomaly-detector": {
      "myjob1": {
        "success": true
      },
      "myjob2": {
        "success": true
      }
    }
  },
  "savedObjectsDeleted": {}
}

Get a conversation

GET /api/security_ai_assistant/current_user/conversations/{id}
Api key auth Basic auth

Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value, a unique identifier for the conversation.

    Minimum length is 1.

Responses

  • 200 application/json

    Indicates a successful call. The conversation details are returned.

    Hide response attributes Show response attributes object
    • apiConfig object

      LLM API configuration.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The last time conversation was updated.

    • excludeFromLastConversationStorage boolean

      Exclude from last conversation storage.

    • id string(nonempty) Required

      The ID of the anonymization field.

      Minimum length is 1.

    • isDefault boolean

      Is default conversation.

    • messages array[object]

      The conversation messages.

      AI assistant conversation message.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        Metadata

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        Timestamp when the anonymization field was initially created.

        Minimum length is 1.

      • traceData object

        Trace data

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • transactionId string

          Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • replacements object

      Replacements object used to anonymize/deanonymize messages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object
      Hide summary attributes Show summary attributes object
      • confidence string

        How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        Timestamp when the anonymization field was initially created.

        Minimum length is 1.

    • timestamp string(nonempty)

      Timestamp when the anonymization field was initially created.

      Minimum length is 1.

    • title string Required

      The conversation title.

    • updatedAt string

      The last time conversation was updated.

    • users array[object] Required

      Could be any string, not necessarily a UUID.

      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error. The request could not be processed due to an error.

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/current_user/conversations/{id} 
curl \
 --request GET 'https://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "abc123",
  "title": "Security Discussion",
  "users": [
    {
      "id": "user1",
      "name": "John Doe"
    }
  ],
  "category": "assistant",
  "messages": [
    {
      "role": "system",
      "content": "Hello, how can I assist you today?",
      "timestamp": "2023-10-31T12:00:00Z"
    }
  ],
  "apiConfig": {
    "connectorId": "12345",
    "actionTypeId": "67890"
  },
  "createdAt": "2023-10-31T12:01:00Z",
  "updatedAt": "2023-10-31T12:01:00Z",
  "replacements": {},
  "excludeFromLastConversationStorage": false
}

Finds Knowledge Base Entries that match the given query.

GET /api/security_ai_assistant/knowledge_base/entries/_find
Api key auth Basic auth

Finds Knowledge Base Entries that match the given query.

Query parameters

  • fields array[string]

    A list of fields to include in the response. If not provided, all fields will be included.

  • filter string

    Search query to filter Knowledge Base Entries by specific criteria.

  • sort_field string

    Field to sort the Knowledge Base Entries by.

    Values are created_at, is_default, title, or updated_at.

  • sort_order string

    Sort order for the results, either asc or desc.

    Values are asc or desc.

  • page integer

    Page number for paginated results. Defaults to 1.

    Minimum value is 1. Default value is 1.

  • per_page integer

    Number of Knowledge Base Entries to return per page. Defaults to 20.

    Minimum value is 0. Default value is 20.

Responses

  • 200 application/json

    Successful response containing the paginated Knowledge Base Entries.

    Hide response attributes Show response attributes object
    • data array[object] Required

      The list of Knowledge Base Entries for the current page.

      Any of:
      Security_AI_Assistant_API_DocumentEntryResponseFields object Security_AI_Assistant_API_IndexEntryResponseFields object
      Hide attributes Show attributes
      • global boolean Required

        Whether this Knowledge Base Entry is global, defaults to false.

      • name string Required

        Name of the Knowledge Base Entry.

      • namespace string Required

        Kibana Space, defaults to 'default' space.

      • users array[object] Required

        Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

        Could be any string, not necessarily a UUID.

        Hide users attributes Show users attributes object
      • createdAt string Required

        Time the Knowledge Base Entry was created.

      • createdBy string Required

        User who created the Knowledge Base Entry.

      • id string(nonempty) Required

        The ID of the anonymization field.

        Minimum length is 1.

      • updatedAt string Required

        Time the Knowledge Base Entry was last updated.

      • updatedBy string Required

        User who last updated the Knowledge Base Entry.

      • kbResource string Required

        Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc.

        Values are security_labs or user.

      • source string Required

        Source document name or filepath.

      • text string Required

        Knowledge Base Entry content.

      • type string Required Discriminator

        Entry type.

        Value is document.

      • required boolean

        Whether this resource should always be included, defaults to false.

      • vector object

        Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings.

        Hide vector attributes Show vector attributes object
        • modelId string Required

          ID of the model used to create the embeddings.

        • tokens object Required

          Tokens with their corresponding values.

          Hide tokens attribute Show tokens attribute object
          • * number Additional properties
    • page integer Required

      The current page number.

    • perPage integer Required

      The number of Knowledge Base Entries returned per page.

    • total integer Required

      The total number of Knowledge Base Entries available.
  • 400 application/json

    Generic Error indicating an issue with the request.

    Hide response attributes Show response attributes object
    • error string

      A short description of the error.

    • message string

      A detailed message explaining the error.

    • statusCode number

      The HTTP status code of the error.
GET /api/security_ai_assistant/knowledge_base/entries/_find 
curl \
 --request GET 'https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find' \
 --header "Authorization: $API_KEY"

Create an alerts index

POST /api/detection_engine/index
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough permissions response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/index 
curl \
 --request POST 'https://localhost:5601/api/detection_engine/index' \
 --header "Authorization: $API_KEY"

Retrieve the status of prebuilt detection rules and Timelines

GET /api/detection_engine/rules/prepackaged/_status
Api key auth Basic auth

Retrieve the status of all Elastic prebuilt detection rules and Timelines.

This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • rules_custom_installed integer Required

      The total number of custom rules

      Minimum value is 0.

    • rules_installed integer Required

      The total number of installed prebuilt rules

      Minimum value is 0.

    • rules_not_installed integer Required

      The total number of available prebuilt rules that are not installed

      Minimum value is 0.

    • rules_not_updated integer Required

      The total number of outdated prebuilt rules

      Minimum value is 0.

    • timelines_installed integer Required

      The total number of installed prebuilt timelines

      Minimum value is 0.

    • timelines_not_installed integer Required

      The total number of available prebuilt timelines that are not installed

      Minimum value is 0.

    • timelines_not_updated integer Required

      The total number of outdated prebuilt timelines

      Minimum value is 0.
GET /api/detection_engine/rules/prepackaged/_status 
curl \
 --request GET 'https://localhost:5601/api/detection_engine/rules/prepackaged/_status' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "rules_installed": 0,
  "rules_not_updated": 0,
  "rules_not_installed": 112,
  "timelines_installed": 0,
  "timelines_not_updated": 0,
  "rules_custom_installed": 0,
  "timelines_not_installed": 0
}

Clean up detection alert migrations Deprecated

DELETE /api/detection_engine/signals/migration
Api key auth Basic auth

Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted.

While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation.

application/json

Body Required

Array of migration_ids to cleanup

  • migration_ids array[string] Required

    Array of migration_ids to cleanup.

    At least 1 element.

Responses

DELETE /api/detection_engine/signals/migration 
curl \
 --request DELETE 'https://localhost:5601/api/detection_engine/signals/migration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'
Request example 
{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}
Response examples (200) 
{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}

Delete an endpoint exception list item

DELETE /api/endpoint_list/items
Api key auth Basic auth

Delete an endpoint exception list item using the id or item_id field.

Query parameters

  • id string(nonempty)

    Either id or item_id must be specified

    Minimum length is 1.

  • item_id string(nonempty)

    Either id or item_id must be specified

    Minimum length is 1.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.
  • 400 application/json

    Invalid input data

    One of:
    Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 404 application/json

    Endpoint list item not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
DELETE /api/endpoint_list/items 
curl \
 --request DELETE 'https://localhost:5601/api/endpoint_list/items' \
 --header "Authorization: $API_KEY"

Security endpoint management

Interact with and manage endpoints running the Elastic Defend integration.

Get an action request log Deprecated

GET /api/endpoint/action_log/{agent_id}
Api key auth Basic auth

Get an action request log for the specified agent ID.

Path parameters

Query parameters

  • query object Required
    Hide query attributes Show query attributes object
    • end_date string

      An end date in ISO format or Date Math format.

    • page integer

      Page number

      Minimum value is 1. Default value is 1.

    • page_size integer

      Number of items per page

      Minimum value is 1, maximum value is 100. Default value is 10.

    • start_date string

      A start date in ISO 8601 format or Date Math format.

Responses

  • 200 application/json

    OK
GET /api/endpoint/action_log/{agent_id} 
curl \
 --request GET 'https://localhost:5601/api/endpoint/action_log/{agent_id}?query=%7B%7D' \
 --header "Authorization: $API_KEY"

Get running processes

POST /api/endpoint/action/running_procs
Api key auth Basic auth

Get a list of all processes running on an endpoint.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/running_procs 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/running_procs' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "running-processes",
    "comment": "",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {},
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  }
}

Suspend a process

POST /api/endpoint/action/suspend_process
Api key auth Basic auth

Suspend a running process on an endpoint.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    One of:
    object-1 object object-2 object
    Hide attribute Show attribute
    • pid integer

      The process ID (PID) of the process to suspend.

      Minimum value is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/suspend_process 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/suspend_process' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"suspend the process","parameters":{"entity_id":"abc123"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "suspend the process",
  "parameters": {
    "entity_id": "abc123"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "suspend-process",
    "comment": "suspend the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  }
}

Get a metadata list

GET /api/endpoint/metadata
Api key auth Basic auth

Query parameters

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • pageSize integer

    Number of items per page

    Minimum value is 1, maximum value is 100. Default value is 10.

  • kuery string

    A KQL string.

  • hostStatuses array[string] Required

    A set of agent health statuses to filter by.

    Values are healthy, offline, updating, inactive, or unenrolled.

  • sortField string

    Determines which field is used to sort the results.

    Values are enrolled_at, metadata.host.hostname, host_status, metadata.Endpoint.policy.applied.name, metadata.Endpoint.policy.applied.status, metadata.host.os.name, metadata.host.ip, metadata.agent.version, or last_checkin.

  • sortDirection string

    Determines the sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    OK
GET /api/endpoint/metadata 
curl \
 --request GET 'https://localhost:5601/api/endpoint/metadata?hostStatuses=healthy&hostStatuses=updating' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "metadata": {
        "ecs": {
          "version": "1.11.0"
        },
        "host": {
          "id": "0cfead88e2024bd8a27476352b5ab264",
          "ip": [
            "127.0.0.1",
            "::1",
            "10.0.2.15",
            "fe80::2ac7:8e15:b957:2fa1"
          ],
          "os": {
            "Ext": {
              "variant": "Ubuntu"
            },
            "full": "Ubuntu 20.04.2",
            "name": "Linux",
            "type": "linux",
            "family": "ubuntu",
            "kernel": "5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021",
            "version": "20.04.2",
            "platform": "ubuntu"
          },
          "mac": [
            "08:00:27:e6:78:8b"
          ],
          "name": "david-Xubuntu",
          "hostname": "david-Xubuntu",
          "architecture": "x86_64"
        },
        "agent": {
          "id": "285297c6-3bff-4b83-9a07-f3e749801123",
          "type": "endpoint",
          "build": {
            "original": "version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"
          },
          "version": "7.16.0"
        },
        "event": {
          "id": "MNtSXK/SkhEBnmgt++++++7S",
          "kind": "metric",
          "type": [
            "info"
          ],
          "action": "endpoint_metadata",
          "module": "endpoint",
          "created": "2023-07-04T15:47:57.432173535Z",
          "dataset": "endpoint.metadata",
          "category": [
            "host"
          ],
          "ingested": "2023-07-04T15:47:58Z",
          "sequence": 400,
          "agent_id_status": "verified"
        },
        "elastic": {
          "agent": {
            "id": "285297c6-3bff-4b83-9a07-f3e749801123"
          }
        },
        "message": "Endpoint metadata",
        "Endpoint": {
          "state": {
            "isolation": false
          },
          "policy": {
            "applied": {
              "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
              "name": "test",
              "status": "success",
              "version": "3",
              "endpoint_policy_version": "2"
            }
          },
          "status": "enrolled",
          "capabilities": [
            "isolation"
          ],
          "configuration": {
            "isolation": false
          }
        },
        "@timestamp": "2023-07-04T15:47:57.432173535Z",
        "data_stream": {
          "type": "metrics",
          "dataset": "endpoint.metadata",
          "namespace": "default"
        }
      },
      "host_status": "healthy",
      "policy_info": {
        "agent": {
          "applied": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 0
          },
          "configured": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 3
          }
        },
        "endpoint": {
          "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
          "revision": 2
        }
      },
      "last_checkin": "2023-07-04T15:47:57.432Z"
    },
    {
      "metadata": {
        "ecs": {
          "version": "1.11.0"
        },
        "host": {
          "id": "17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5",
          "ip": [
            "10.0.2.15",
            "fe80::21a6:63d3:d70e:e3ad",
            "127.0.0.1",
            "::1"
          ],
          "os": {
            "Ext": {
              "variant": "Windows 10 Enterprise Evaluation"
            },
            "full": "Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)",
            "name": "Windows",
            "type": "windows",
            "family": "windows",
            "kernel": "20H2 (10.0.19042.906)",
            "version": "20H2 (10.0.19042.906)",
            "platform": "windows"
          },
          "mac": [
            "08:00:27:b1:1d:5a"
          ],
          "name": "WinDev2104Eval",
          "hostname": "WinDev2104Eval",
          "architecture": "x86_64"
        },
        "agent": {
          "id": "abb8a826-6812-448c-a571-6d8269b51449",
          "type": "endpoint",
          "build": {
            "original": "version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"
          },
          "version": "7.16.0"
        },
        "event": {
          "id": "MNtRc++KoKHXXwlj+++++/N9",
          "kind": "metric",
          "type": [
            "info"
          ],
          "action": "endpoint_metadata",
          "module": "endpoint",
          "created": "2023-07-04T15:44:31.4917849Z",
          "dataset": "endpoint.metadata",
          "category": [
            "host"
          ],
          "ingested": "2023-07-04T15:44:33Z",
          "sequence": 5159,
          "agent_id_status": "verified"
        },
        "elastic": {
          "agent": {
            "id": "abb8a826-6812-448c-a571-6d8269b51449"
          }
        },
        "message": "Endpoint metadata",
        "Endpoint": {
          "state": {
            "isolation": false
          },
          "policy": {
            "applied": {
              "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
              "name": "test",
              "status": "success",
              "version": "3",
              "endpoint_policy_version": "2"
            }
          },
          "status": "enrolled",
          "capabilities": [
            "isolation"
          ],
          "configuration": {
            "isolation": false
          }
        },
        "@timestamp": "2023-07-04T15:44:31.4917849Z",
        "data_stream": {
          "type": "metrics",
          "dataset": "endpoint.metadata",
          "namespace": "default"
        }
      },
      "host_status": "healthy",
      "policy_info": {
        "agent": {
          "applied": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 0
          },
          "configured": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 3
          }
        },
        "endpoint": {
          "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
          "revision": 2
        }
      },
      "last_checkin": "2023-07-04T15:44:31.491Z"
    }
  ],
  "page": 0,
  "total": 2,
  "pageSize": 10,
  "sortField": "enrolled_at",
  "sortDirection": "desc"
}

Release an isolated endpoint Deprecated

POST /api/endpoint/unisolate
Api key auth Basic auth

Release an isolated endpoint, allowing it to rejoin a network.

This URL will return a 308 permanent redirect to POST <kibana host>:<port>/api/endpoint/action/unisolate.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
  • 308

    Permanent Redirect

    Hide headers attribute Show headers attribute
    • Location string

      Permanently redirects to "/api/endpoint/action/unisolate"

POST /api/endpoint/unisolate 
curl \
 --request POST 'https://localhost:5601/api/endpoint/unisolate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["case-id-1","case-id-2"],"comment":"This is a comment","endpoint_ids":["endpoint-id-1","endpoint-id-2"],"parameters":{}}'

Security entity analytics

List the Entity Engines

GET /api/entity_store/engines
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
GET /api/entity_store/engines 
curl \
 --request GET 'https://localhost:5601/api/entity_store/engines' \
 --header "Authorization: $API_KEY"

Security exceptions

Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.

Exceptions are made up of:

  • Exception containers: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
  • Exception items: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to true, the rule does not generate an alert.

For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.

You cannot use lists with endpoint rule exceptions.


Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.

Exceptions requirements

Before you can start working with exceptions that use value lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to Enable and access detections.