Get the alerting framework health

GET /api/alerting/_health
Api key auth Basic auth

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • alerting_framework_health object

      Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.

      Hide alerting_framework_health attributes Show alerting_framework_health attributes object
      • decryption_health object

        The timestamp and status of the rule decryption.

        Hide decryption_health attributes Show decryption_health attributes object
      • execution_health object

        The timestamp and status of the rule run.

        Hide execution_health attributes Show execution_health attributes object
      • read_health object

        The timestamp and status of the rule reading events.

        Hide read_health attributes Show read_health attributes object
    • has_permanent_encryption_key boolean

      If false, the encrypted saved object plugin does not have a permanent encryption key.

    • is_sufficiently_secure boolean

      If false, security is enabled but TLS is not.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/_health 
curl \
 --request GET 'https://localhost:5601/api/alerting/_health' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}

Get rule details

GET /api/alerting/rule/{id}
Api key auth Basic auth

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id} 
curl \
 --request GET 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY"

Create a rule

POST /api/alerting/rule/{id}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body

  • actions array[object]

    An action that runs under defined conditions.

    Default value is [] (empty).

    Hide actions attributes Show actions attributes object
    • alerts_filter object

      Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.

      Additional properties are NOT allowed.

      Hide alerts_filter attributes Show alerts_filter attributes object
      • query object

        Additional properties are NOT allowed.

        Hide query attributes Show query attributes object
        • dsl string

          A filter written in Elasticsearch Query Domain Specific Language (DSL).

        • filters array[object] Required

          A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

          Hide filters attributes Show filters attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              A filter can be either specific to an application context or applied globally.

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

          • query object

            Additional properties are allowed.

        • kql string Required

          A filter written in Kibana Query Language (KQL).

      • timeframe object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide timeframe attributes Show timeframe attributes object
        • days array[integer] Required

          Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

          Values are 1, 2, 3, 4, 5, 6, or 7.

        • hours object Required

          Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.

          Additional properties are NOT allowed.

          Hide hours attributes Show hours attributes object
          • end string Required

            The end of the time frame in 24-hour notation (hh:mm).

          • start string Required

            The start of the time frame in 24-hour notation (hh:mm).

        • timezone string Required

          The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

    • frequency object

      Additional properties are NOT allowed.

      Hide frequency attributes Show frequency attributes object
      • notify_when string Required

        Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

        Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

      • summary boolean Required

        Indicates whether the action is a summary.

      • throttle string | null Required

        The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • group string

      The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

    • id string Required

      The identifier for the connector saved object.

    • params object

      The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      Default value is {} (empty). Additional properties are allowed.

    • use_alert_data_for_template boolean

      Indicates whether to use alert data as a template.

    • uuid string

      A universally unique identifier (UUID) for the action.

  • alert_delay object

    Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

    Additional properties are NOT allowed.

    Hide alert_delay attribute Show alert_delay attribute object
    • active number Required

      The number of consecutive runs that must meet the rule conditions.

  • consumer string Required

    The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

  • enabled boolean

    Indicates whether you want to run the rule on an interval basis after it is created.

    Default value is true.

  • flapping object | null

    When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

    Additional properties are NOT allowed.

    Hide flapping attributes Show flapping attributes object | null
    • look_back_window number Required

      The minimum number of runs in which the threshold must be met.

      Minimum value is 2, maximum value is 20.

    • status_change_threshold number Required

      The minimum number of times an alert must switch states in the look back window.

      Minimum value is 2, maximum value is 20.

  • name string Required

    The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.

  • notify_when string | null

    Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • rule_type_id string Required

    The rule type identifier.

  • schedule object Required

    The check interval, which specifies how frequently the rule conditions are checked.

    Additional properties are NOT allowed.

    Hide schedule attribute Show schedule attribute object
    • interval string Required

      The interval is specified in seconds, minutes, hours, or days.

  • tags array[string]

    The tags for the rule.

    Default value is [] (empty).

  • throttle string | null

    Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

  • params object

    The parameters for the rule.

    Any of:
    params_property_apm_anomaly object params_property_apm_error_count object params_property_apm_transaction_duration object params_property_apm_transaction_error_rate object params_es_query_dsl_rule object params_es_query_esql_rule object params_es_query_kql_rule object params_index_threshold_rule object params_property_infra_inventory object Count object Ratio object params_property_infra_metric_threshold object params_property_slo_burn_rate object params_property_synthetics_uptime_tls object params_property_synthetics_monitor_status object
    Hide attributes Show attributes
    • serviceName string

      Filter the rule to apply to a specific service name.

    • transactionType string

      Filter the rule to apply to a specific transaction type.

    • windowSize number Required

      The size of the time window (in windowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

    • windowUnit string Required

      The type of units for the time window. For example: minutes, hours, or days.

      Values are m, h, or d.

    • environment string Required

      Filter the rule to apply to a specific environment.

    • anomalySeverityType string Required

      The severity of anomalies that will generate alerts: critical, major, minor, or warning.

      Values are critical, major, minor, or warning.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 409

    Indicates that the rule id is already in use.

POST /api/alerting/rule/{id} 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'
Request examples
Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. 
{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. 
{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Kibana query language (KQL). 
{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}
Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. 
{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}
Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. 
{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}
Response examples (200)
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). 
{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). 
{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). 
{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}
The response for successfully creating an index threshold rule. 
{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}
The response for successfully creating a tracking containment rule. 
{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_unmute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get an alert by identifier Deprecated

GET /api/alerts/alert/{alertId}
Api key auth Basic auth

Deprecated in 7.13.0. Use the get rule API instead.

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

GET /api/alerts/alert/{alertId} 
curl \
 --request GET 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35' \
 --header "Authorization: $API_KEY"

Update an alert Deprecated

PUT /api/alerts/alert/{alertId}
Api key auth Basic auth

Deprecated in 7.13.0. Use the update rule API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

application/json

Body Required

  • actions array[object]
    Hide actions attributes Show actions attributes object
    • actionTypeId string Required

      The identifier for the action type.

    • group string Required

      Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to default.

    • id string Required

      The ID of the action saved object.

    • params object Required

      The map to the params that the action type will receive. params are handled as Mustache templates and passed a default set of context.

  • name string Required

    A name to reference and search.

  • notifyWhen string Required

    The condition for throttling the notification.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • params object Required

    The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.

  • schedule object Required

    The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.

    Hide schedule attribute Show schedule attribute object
    • interval string

      The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run.

  • tags array[string]

    A list of keywords to reference and search.

  • throttle string

    How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.

Responses

PUT /api/alerts/alert/{alertId} 
curl \
 --request PUT 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"actions":[{"actionTypeId":"string","group":"string","id":"string","params":{}}],"name":"string","notifyWhen":"onActionGroupChange","params":{},"schedule":{"interval":"1d"},"tags":["string"],"throttle":"string"}'

Disable an alert Deprecated

POST /api/alerts/alert/{alertId}/_disable
Api key auth Basic auth

Deprecated in 7.13.0. Use the disable rule API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/_disable 
curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Mute all alert instances Deprecated

POST /api/alerts/alert/{alertId}/_mute_all
Api key auth Basic auth

Deprecated in 7.13.0. Use the mute all alerts API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/_mute_all 
curl \
 --request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Get environments for service

GET /api/apm/settings/agent-configuration/environments
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • environments array[object]

      Service environment list

      Hide environments attributes Show environments attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/environments 
curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration/environments' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Lookup single agent configuration

POST /api/apm/settings/agent-configuration/search
Api key auth Basic auth

This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • etag string

    If etags match then applied_by_agent field will be set to true

  • mark_as_applied_by_agent boolean

    markAsAppliedByAgent=true means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags

  • service object Required

    Service

    Hide service attributes Show service attributes object

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/settings/agent-configuration/search 
curl \
 --request POST 'https://localhost:5601/api/apm/settings/agent-configuration/search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'

Get single agent configuration

GET /api/apm/settings/agent-configuration/view
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/view 
curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration/view' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

APM agent keys

Configure APM agent keys to authorize requests from APM agents to the APM Server.

Create a service annotation

POST /api/apm/services/{serviceName}/annotation
Api key auth Basic auth

Create a new annotation for a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body Required

Responses

  • 200 application/json

    Annotation created successfully

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/services/{serviceName}/annotation 
curl \
 --request POST 'https://localhost:5601/api/apm/services/{serviceName}/annotation' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'

Search for annotations

GET /api/apm/services/{serviceName}/annotation/search
Api key auth Basic auth

Search for annotations related to a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Path parameters

Query parameters

  • environment string

    The environment to filter annotations by

  • start string

    The start date for the search

  • end string

    The end date for the search

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
GET /api/apm/services/{serviceName}/annotation/search 
curl \
 --request GET 'https://localhost:5601/api/apm/services/{serviceName}/annotation/search' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

APM sourcemaps

Configure APM source maps.

Cases

Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.

Cases documentation

Search cases

GET /api/cases/_find
Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

  • assignees string | array[string]

    Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.

  • category string | array[string]

    Filters the returned cases by category.

  • defaultSearchOperator string

    he default operator to use for the simple_query_string.

    Default value is OR.

  • from string

    Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • reporters string | array[string]

    Filters the returned cases by the user name of the reporter.

  • searchFields string | array[string]

    The fields to perform the simple_query_string parsed query against.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium.

  • sortField string

    Determines which field is used to sort the results.

    Values are createdAt, updatedAt, closedAt, title, category, status, or severity. Default value is createdAt.

  • sortOrder string

    Determines the sort order.

    Values are asc or desc. Default value is desc.

  • status string

    Filters the returned cases by state.

    Values are closed, in-progress, or open.

  • tags string | array[string]

    Filters the returned cases by tags.

  • to string

    Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • cases array[object]

      Not more than 10000 elements.

      Hide cases attributes Show cases attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string | null

        The case category.

      • closed_at string(date-time) | null Required
      • closed_by object | null Required
        Hide closed_by attributes Show closed_by attributes object | null
      • comments array[object] Required

        An array of comment objects for the case.

        Not more than 10000 elements.

        One of:
        Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
        Hide attributes Show attributes

      • connector object Required

        One of:
        Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

        Defines properties for connectors when type is .none.

        Hide attributes Show attributes
        • fields string | null Required

          An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

        • id string Required

          The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • name string Required

          The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • type string Required Discriminator

          The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

          Value is .none.

      • created_at string(date-time) Required
      • created_by object Required
        Hide created_by attributes Show created_by attributes object
      • customFields array[object]

        Custom field values for the case.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique identifier for the custom field. The key value must exist in the case configuration settings.

        • type string

          The custom field type. It must match the type specified in the case configuration settings.

          Values are text or toggle.

        • value string | null | boolean

          The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

          One of:
          string-1 string | null boolean-2 boolean

          Minimum length is 1, maximum length is 160.

      • description string Required
      • duration integer | null Required

        The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

      • external_service object | null Required
        Hide external_service attributes Show external_service attributes object | null
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • settings object Required

        An object that contains the case settings.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string Required

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • status string Required

        The status of the case.

        Values are closed, in-progress, or open.

      • tags array[string] Required
      • title string Required
      • totalAlerts integer Required
      • totalComment integer Required
      • updated_at string(date-time) | null Required
      • updated_by object | null Required
        Hide updated_by attributes Show updated_by attributes object | null
      • version string Required
    • count_closed_cases integer
    • count_in_progress_cases integer
    • count_open_cases integer
    • page integer
    • per_page integer
    • total integer
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/_find 
curl \
 --request GET 'https://localhost:5601/api/cases/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "page": 1,
  "cases": [
    {
      "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "owner": "cases",
      "title": "Case title",
      "status": "open",
      "version": "WzExMCwxXQ==",
      "category": null,
      "comments": [],
      "duration": null,
      "settings": {
        "syncAlerts": true
      },
      "severity": "low",
      "assignees": [],
      "closed_at": null,
      "closed_by": null,
      "connector": {
        "id": "none",
        "name": "none",
        "type": ".none",
        "fields": null
      },
      "created_at": "2023-10-12T00:16:36.371Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-12T00:27:58.162Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "description": "Case description",
      "totalAlerts": 0,
      "customFields": [
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My field value"
        },
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": null
        }
      ],
      "totalComment": 1,
      "external_service": null
    }
  ],
  "total": 1,
  "per_page": 5,
  "count_open_cases": 1,
  "count_closed_cases": 0,
  "count_in_progress_cases": 0
}

Delete all case comments and alerts

DELETE /api/cases/{caseId}/comments
Api key auth Basic auth

Deletes all comments and alerts from a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • 204

    Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases/{caseId}/comments 
curl \
 --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Find case comments and alerts

GET /api/cases/{caseId}/comments/_find
Api key auth Basic auth

Retrieves a paginated list of comments for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • sortOrder string

    Determines the sort order.

    Values are asc or desc. Default value is desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/comments/_find 
curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/_find' \
 --header "Authorization: $API_KEY"

Get a case comment or alert

GET /api/cases/{caseId}/comments/{commentId}
Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • commentId string Required

    The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

GET /api/cases/{caseId}/comments/{commentId} 
curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
  "type": "user",
  "owner": "cases",
  "comment": "A new comment",
  "version": "WzIzLDFd",
  "pushed_at": null,
  "pushed_by": null,
  "created_at": "2023-10-07T19:32:13.104Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null
}

Push a case to an external service

POST /api/cases/{caseId}/connector/{connectorId}/_push
Api key auth Basic auth

You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • connectorId string Required

    An identifier for the connector. To retrieve connector IDs, use the find connectors API.

application/json

Body

object | null object | null

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/connector/{connectorId}/_push 
curl \
 --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/connector/abed3a70-71bd-11ea-a0b2-c51ea50a58e2/_push' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string"
Response examples (200) 
{
  "id": "b917f300-0ed9-11ed-bd18-65557fe66949",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzE3NjgsM10=",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "Low",
      "issueType": "10006"
    }
  },
  "created_at": "2022-07-29T00:59:39.444Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2022-07-29T01:20:58.436Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "totalComment": 0,
  "external_service": {
    "pushed_at": "2022-07-29T01:20:58.436Z",
    "pushed_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "external_id": "71926",
    "connector_id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "external_url": "https://cases.jira.com",
    "connector_name": "My connector",
    "external_title": "ES-554"
  }
}

Get case settings

GET /api/cases/configure
Api key auth Basic auth

Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • closure_type string

      Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • connector object
      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • created_by object
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object

      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        One of:
        string-1 string boolean-2 boolean
      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • caseFields object
        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • connector object
          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

            One of:
            string-1 string boolean-2 boolean
        • description string

          The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • description string

        A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null
      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/configure 
curl \
 --request GET 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "id": "856ee650-6c82-11ee-a20a-6164169afa58",
    "error": null,
    "owner": "cases",
    "version": "WzEyLDNd",
    "mappings": [],
    "connector": {
      "id": "none",
      "name": "none",
      "type": ".none",
      "fields": null
    },
    "templates": [
      {
        "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
        "name": "template-1",
        "tags": [
          "Template tag 1"
        ],
        "caseFields": {
          "tags": [
            "Default case tag"
          ],
          "title": "Default case title",
          "category": "Default-category",
          "settings": {
            "syncAlerts": false
          },
          "assignees": [
            {
              "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
            }
          ],
          "connector": {
            "id": "none",
            "name": "none",
            "type": ".none",
            "fields": null
          },
          "description": "A default description for cases.",
          "customFields": [
            {
              "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
              "type": "text",
              "value": "Default text field value."
            }
          ]
        },
        "description": "A description of the template."
      }
    ],
    "created_at": "2024-07-01T17:07:17.767Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "updated_at": null,
    "updated_by": null,
    "closure_type": "close-by-user",
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "label": "my-text-field",
        "required": false,
        "defaultValue": "Custom text field value."
      }
    ]
  }
]

Add case settings

POST /api/cases/configure
Api key auth Basic auth

Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body

  • closure_type string Required

    Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • connector object Required

    An object that contains the connector configuration.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object

    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      One of:
      string-1 string boolean-2 boolean
    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • caseFields object
      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • connector object
        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

          One of:
          string-1 string boolean-2 boolean
      • description string

        The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • description string

      A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • closure_type string

      Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • connector object
      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • created_by object
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object

      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        One of:
        string-1 string boolean-2 boolean
      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • caseFields object
        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • connector object
          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

            One of:
            string-1 string boolean-2 boolean
        • description string

          The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • description string

        A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null
      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/configure 
curl \
 --request POST 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'
Request example 
{
  "owner": "cases",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (200) 
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzIwNzMsMV0=",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": "null,",
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}

Connectors

Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.

Connector documentation

Create a connector Deprecated

POST /api/actions/action
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • actionTypeId string Required

    The connector type identifier.

  • config object

    Default value is {} (empty). Additional properties are allowed.

  • name string Required

    The display name for the connector.

  • secrets object

    Default value is {} (empty). Additional properties are allowed.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • is_missing_secrets boolean

      Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.
POST /api/actions/action 
curl \
 --request POST 'https://localhost:5601/api/actions/action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"actionTypeId":"string","config":{},"name":"string","secrets":{}}'

Get connector types Deprecated

GET /api/actions/list_action_types
Api key auth Basic auth
GET /api/actions/list_action_types 
curl \
 --request GET 'https://localhost:5601/api/actions/list_action_types' \
 --header "Authorization: $API_KEY"

Dashboards

Get a list of dashboards Technical Preview

GET /api/dashboards/dashboard
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Query parameters

  • page number

    The page number to return. Default is "1".

    Minimum value is 1. Default value is 1.

  • perPage number

    The number of dashboards to display on each page (max 1000). Default is "20".

    Minimum value is 1, maximum value is 1000.

Responses

GET /api/dashboards/dashboard 
curl \
 --request GET 'https://localhost:5601/api/dashboards/dashboard' \
 --header "Authorization: $API_KEY"

Get a dashboard Technical Preview

GET /api/dashboards/dashboard/{id}
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Path parameters

  • id string Required

    A unique identifier for the dashboard.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • controlGroupInput object

          Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • autoApplySelections boolean

            Show apply selections button in controls.

            Default value is true.

          • chainingSystem string

            The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • controlConfig object

              Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • enhancements object

            Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • ignoreFilters boolean

              Ignore global filters in controls.

              Default value is false.

            • ignoreQuery boolean

              Ignore the global query bar in controls.

              Default value is false.

            • ignoreTimerange boolean

              Ignore the global time range in controls.

              Default value is false.

            • ignoreValidations boolean

              Ignore validations in controls.

              Default value is false.

          • labelPosition string

            Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • description string

          A short description.

          Default value is empty.

        • kibanaSavedObjectMeta object

          A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • searchSource object

            Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]

              A filter for the search source.

              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • hidePanelTitles boolean

            Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • syncTooltips boolean

            Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • panelRefName string
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • refreshInterval object

          A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • timeRestore boolean

          Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • createdAt string
      • createdBy string
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • updatedAt string
      • updatedBy string
      • version string
    • meta object Required

      Additional properties are NOT allowed.

      Hide meta attributes Show meta attributes object
GET /api/dashboards/dashboard/{id} 
curl \
 --request GET 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY"

Update an existing dashboard Technical Preview

PUT /api/dashboards/dashboard/{id}
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

application/json

Body

  • attributes object Required

    Additional properties are NOT allowed.

    Hide attributes attributes Show attributes attributes object
    • controlGroupInput object

      Additional properties are NOT allowed.

      Hide controlGroupInput attributes Show controlGroupInput attributes object
      • autoApplySelections boolean

        Show apply selections button in controls.

        Default value is true.

      • chainingSystem string

        The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

        Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

      • controls array[object]

        An array of control panels and their state in the control group.

        Default value is [] (empty).

        Hide controls attributes Show controls attributes object
        • controlConfig object

          Additional properties are allowed.

        • grow boolean

          Expand width of the control panel to fit available space.

          Default value is false.

        • id string

          The unique ID of the control.

        • order number Required

          The order of the control panel in the control group.

        • type string Required

          The type of the control panel.

        • width string

          Minimum width of the control panel in the control group.

          Values are small, medium, or large. Default value is medium.

      • enhancements object

        Additional properties are allowed.

      • ignoreParentSettings object Required

        Additional properties are NOT allowed.

        Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
        • ignoreFilters boolean

          Ignore global filters in controls.

          Default value is false.

        • ignoreQuery boolean

          Ignore the global query bar in controls.

          Default value is false.

        • ignoreTimerange boolean

          Ignore the global time range in controls.

          Default value is false.

        • ignoreValidations boolean

          Ignore validations in controls.

          Default value is false.

      • labelPosition string

        Position of the labels for controls. For example, "oneLine", "twoLine".

        Values are oneLine or twoLine. Default value is oneLine.

    • description string

      A short description.

      Default value is empty.

    • kibanaSavedObjectMeta object

      A container for various metadata

      Default value is {} (empty). Additional properties are NOT allowed.

      Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
      • searchSource object

        Additional properties are allowed.

        Hide searchSource attributes Show searchSource attributes object
        • filter array[object]

          A filter for the search source.

          Hide filter attributes Show filter attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

            Hide meta attributes Show meta attributes object
          • query object

            Additional properties are allowed.

        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
        • sort array[object]
        • type string
    • options object Required

      Additional properties are NOT allowed.

      Hide options attributes Show options attributes object
      • hidePanelTitles boolean

        Hide the panel titles in the dashboard.

        Default value is false.

      • syncColors boolean

        Synchronize colors between related panels in the dashboard.

        Default value is true.

      • syncCursor boolean

        Synchronize cursor position between related panels in the dashboard.

        Default value is true.

      • syncTooltips boolean

        Synchronize tooltips between related panels in the dashboard.

        Default value is true.

      • useMargins boolean

        Show margins between panels in the dashboard layout.

        Default value is true.

    • panels array[object]

      Default value is [] (empty).

      Hide panels attributes Show panels attributes object
      • gridData object Required

        Additional properties are NOT allowed.

        Hide gridData attributes Show gridData attributes object
        • h number

          The height of the panel in grid units

          Minimum value is 1. Default value is 15.

        • i string

          The unique identifier of the panel

        • w number

          The width of the panel in grid units

          Minimum value is 1, maximum value is 48. Default value is 24.

        • x number Required

          The x coordinate of the panel in grid units

        • y number Required

          The y coordinate of the panel in grid units

      • id string

        The saved object id for by reference panels

      • panelConfig object Required

        Additional properties are allowed.

        Hide panelConfig attributes Show panelConfig attributes object
      • panelIndex string

        The unique ID of the panel.

      • panelRefName string
      • title string

        The title of the panel

      • type string Required

        The embeddable type

      • version string Deprecated

        The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

    • refreshInterval object

      A container for various refresh interval settings

      Additional properties are NOT allowed.

      Hide refreshInterval attributes Show refreshInterval attributes object
      • display string Deprecated

        A human-readable string indicating the refresh frequency. No longer used.

      • pause boolean Required

        Whether the refresh interval is set to be paused while viewing the dashboard.

      • section number Deprecated

        No longer used.

      • value number Required

        A numeric value indicating refresh frequency in milliseconds.

    • timeFrom string

      An ISO string indicating when to restore time from

    • timeRestore boolean

      Whether to restore time upon viewing this dashboard

      Default value is false.

    • timeTo string

      An ISO string indicating when to restore time from

    • title string Required

      A human-readable title for the dashboard

    • version number Deprecated
  • references array[object]
    Hide references attributes Show references attributes object

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • controlGroupInput object

          Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • autoApplySelections boolean

            Show apply selections button in controls.

            Default value is true.

          • chainingSystem string

            The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • controlConfig object

              Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • enhancements object

            Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • ignoreFilters boolean

              Ignore global filters in controls.

              Default value is false.

            • ignoreQuery boolean

              Ignore the global query bar in controls.

              Default value is false.

            • ignoreTimerange boolean

              Ignore the global time range in controls.

              Default value is false.

            • ignoreValidations boolean

              Ignore validations in controls.

              Default value is false.

          • labelPosition string

            Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • description string

          A short description.

          Default value is empty.

        • kibanaSavedObjectMeta object

          A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • searchSource object

            Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]

              A filter for the search source.

              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • hidePanelTitles boolean

            Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • syncTooltips boolean

            Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • panelRefName string
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • refreshInterval object

          A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • timeRestore boolean

          Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • createdAt string
      • createdBy string
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • updatedAt string
      • updatedBy string
      • version string
PUT /api/dashboards/dashboard/{id} 
curl \
 --request PUT 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}]}'

Create a dashboard Technical Preview

POST /api/dashboards/dashboard/{id}
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string

    A unique identifier for the dashboard.

application/json

Body

  • attributes object Required

    Additional properties are NOT allowed.

    Hide attributes attributes Show attributes attributes object
    • controlGroupInput object

      Additional properties are NOT allowed.

      Hide controlGroupInput attributes Show controlGroupInput attributes object
      • autoApplySelections boolean

        Show apply selections button in controls.

        Default value is true.

      • chainingSystem string

        The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

        Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

      • controls array[object]

        An array of control panels and their state in the control group.

        Default value is [] (empty).

        Hide controls attributes Show controls attributes object
        • controlConfig object

          Additional properties are allowed.

        • grow boolean

          Expand width of the control panel to fit available space.

          Default value is false.

        • id string

          The unique ID of the control.

        • order number Required

          The order of the control panel in the control group.

        • type string Required

          The type of the control panel.

        • width string

          Minimum width of the control panel in the control group.

          Values are small, medium, or large. Default value is medium.

      • enhancements object

        Additional properties are allowed.

      • ignoreParentSettings object Required

        Additional properties are NOT allowed.

        Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
        • ignoreFilters boolean

          Ignore global filters in controls.

          Default value is false.

        • ignoreQuery boolean

          Ignore the global query bar in controls.

          Default value is false.

        • ignoreTimerange boolean

          Ignore the global time range in controls.

          Default value is false.

        • ignoreValidations boolean

          Ignore validations in controls.

          Default value is false.

      • labelPosition string

        Position of the labels for controls. For example, "oneLine", "twoLine".

        Values are oneLine or twoLine. Default value is oneLine.

    • description string

      A short description.

      Default value is empty.

    • kibanaSavedObjectMeta object

      A container for various metadata

      Default value is {} (empty). Additional properties are NOT allowed.

      Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
      • searchSource object

        Additional properties are allowed.

        Hide searchSource attributes Show searchSource attributes object
        • filter array[object]

          A filter for the search source.

          Hide filter attributes Show filter attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

            Hide meta attributes Show meta attributes object
          • query object

            Additional properties are allowed.

        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
        • sort array[object]
        • type string
    • options object Required

      Additional properties are NOT allowed.

      Hide options attributes Show options attributes object
      • hidePanelTitles boolean

        Hide the panel titles in the dashboard.

        Default value is false.

      • syncColors boolean

        Synchronize colors between related panels in the dashboard.

        Default value is true.

      • syncCursor boolean

        Synchronize cursor position between related panels in the dashboard.

        Default value is true.

      • syncTooltips boolean

        Synchronize tooltips between related panels in the dashboard.

        Default value is true.

      • useMargins boolean

        Show margins between panels in the dashboard layout.

        Default value is true.

    • panels array[object]

      Default value is [] (empty).

      Hide panels attributes Show panels attributes object
      • gridData object Required

        Additional properties are NOT allowed.

        Hide gridData attributes Show gridData attributes object
        • h number

          The height of the panel in grid units

          Minimum value is 1. Default value is 15.

        • i string

          The unique identifier of the panel

        • w number

          The width of the panel in grid units

          Minimum value is 1, maximum value is 48. Default value is 24.

        • x number Required

          The x coordinate of the panel in grid units

        • y number Required

          The y coordinate of the panel in grid units

      • id string

        The saved object id for by reference panels

      • panelConfig object Required

        Additional properties are allowed.

        Hide panelConfig attributes Show panelConfig attributes object
      • panelIndex string

        The unique ID of the panel.

      • panelRefName string
      • title string

        The title of the panel

      • type string Required

        The embeddable type

      • version string Deprecated

        The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

    • refreshInterval object

      A container for various refresh interval settings

      Additional properties are NOT allowed.

      Hide refreshInterval attributes Show refreshInterval attributes object
      • display string Deprecated

        A human-readable string indicating the refresh frequency. No longer used.

      • pause boolean Required

        Whether the refresh interval is set to be paused while viewing the dashboard.

      • section number Deprecated

        No longer used.

      • value number Required

        A numeric value indicating refresh frequency in milliseconds.

    • timeFrom string

      An ISO string indicating when to restore time from

    • timeRestore boolean

      Whether to restore time upon viewing this dashboard

      Default value is false.

    • timeTo string

      An ISO string indicating when to restore time from

    • title string Required

      A human-readable title for the dashboard

    • version number Deprecated
  • references array[object]
    Hide references attributes Show references attributes object
  • spaces array[string]

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • controlGroupInput object

          Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • autoApplySelections boolean

            Show apply selections button in controls.

            Default value is true.

          • chainingSystem string

            The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • controlConfig object

              Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • enhancements object

            Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • ignoreFilters boolean

              Ignore global filters in controls.

              Default value is false.

            • ignoreQuery boolean

              Ignore the global query bar in controls.

              Default value is false.

            • ignoreTimerange boolean

              Ignore the global time range in controls.

              Default value is false.

            • ignoreValidations boolean

              Ignore validations in controls.

              Default value is false.

          • labelPosition string

            Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • description string

          A short description.

          Default value is empty.

        • kibanaSavedObjectMeta object

          A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • searchSource object

            Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]

              A filter for the search source.

              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • hidePanelTitles boolean

            Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • syncTooltips boolean

            Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • panelRefName string
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • refreshInterval object

          A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • timeRestore boolean

          Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • createdAt string
      • createdBy string
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • updatedAt string
      • updatedBy string
      • version string
POST /api/dashboards/dashboard/{id} 
curl \
 --request POST 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}],"spaces":["string"]}'

Get all data views

GET /api/data_views
Api key auth Basic auth

Responses

GET /api/data_views 
curl \
 --request GET 'https://localhost:5601/api/data_views' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data_view": [
    {
      "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
      "name": "Kibana Sample Data eCommerce",
      "title": "kibana_sample_data_ecommerce",
      "typeMeta": {},
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
      "name": "Kibana Sample Data Flights",
      "title": "kibana_sample_data_flights",
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "Kibana Sample Data Logs",
      "title": "kibana_sample_data_logs",
      "namespaces": [
        "default"
      ]
    }
  ]
}

Create a data view

POST /api/data_views/data_view
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • data_view object Required

    The data view object.

    Hide data_view attributes Show data_view attributes object
    • allowNoIndex boolean

      Allows the data view saved object to exist before the data is available.

    • fieldAttrs object
      Hide fieldAttrs attribute Show fieldAttrs attribute object
      • * object Additional properties

        A map of field attributes by field name.

        Hide * attributes Show * attributes object
    • fieldFormats object

      A map of field formats by field name.

    • fields object
    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • runtimeFieldMap object
      Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Hide * attributes Show * attributes object
        • script object Required
          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • timeFieldName string

      The timestamp field name, which you use for time-based data views.

    • title string Required

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

      • params object Required

        Properties for retrieving rollup fields.

    • version string
  • override boolean

    Override an existing data view if a data view with the provided title already exists.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data_view object
      Hide data_view attributes Show data_view attributes object
      • allowNoIndex boolean

        Allows the data view saved object to exist before the data is available.

      • fieldAttrs object
        Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Hide * attributes Show * attributes object
      • fieldFormats object

        A map of field formats by field name.

      • fields object
      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • runtimeFieldMap object
        Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Hide * attributes Show * attributes object
          • script object Required
            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • timeFieldName string

        The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

        • params object

          Properties for retrieving rollup fields.

      • version string
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'
Request example 
{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}

Get a data view

GET /api/data_views/data_view/{viewId}
Api key auth Basic auth

Path parameters

  • viewId string Required

    An identifier for the data view.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data_view object
      Hide data_view attributes Show data_view attributes object
      • allowNoIndex boolean

        Allows the data view saved object to exist before the data is available.

      • fieldAttrs object
        Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Hide * attributes Show * attributes object
      • fieldFormats object

        A map of field formats by field name.

      • fields object
      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • runtimeFieldMap object
        Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Hide * attributes Show * attributes object
          • script object Required
            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • timeFieldName string

        The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

        • params object

          Properties for retrieving rollup fields.

      • version string
  • 404 application/json

    Object is not found.

    Hide response attributes Show response attributes object
GET /api/data_views/data_view/{viewId} 
curl \
 --request GET 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data_view": {
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "sku": {
        "name": "sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "type": {
        "name": "type",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "user": {
        "name": "user",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "email": {
        "name": "email",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "category": {
        "name": "category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "currency": {
        "name": "currency",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_id": {
        "name": "order_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_date": {
        "name": "order_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_id": {
        "name": "customer_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week": {
        "name": "day_of_week",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer": {
        "name": "manufacturer",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products._id": {
        "name": "products._id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.sku": {
        "name": "products.sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week_i": {
        "name": "day_of_week_i",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "event.dataset": {
        "name": "event.dataset",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_phone": {
        "name": "customer_phone",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.location": {
        "name": "geoip.location",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.price": {
        "name": "products.price",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_quantity": {
        "name": "total_quantity",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_gender": {
        "name": "customer_gender",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.city_name": {
        "name": "geoip.city_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "category.keyword": {
        "name": "category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.region_name": {
        "name": "geoip.region_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category": {
        "name": "products.category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.quantity": {
        "name": "products.quantity",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name": {
        "name": "customer_full_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "customer_last_name": {
        "name": "customer_last_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.min_price": {
        "name": "products.min_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxful_total_price": {
        "name": "taxful_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_birth_date": {
        "name": "customer_birth_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name": {
        "name": "customer_first_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.base_price": {
        "name": "products.base_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.created_on": {
        "name": "products.created_on",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_id": {
        "name": "products.product_id",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "long"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.tax_amount": {
        "name": "products.tax_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxless_total_price": {
        "name": "taxless_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.continent_name": {
        "name": "geoip.continent_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer.keyword": {
        "name": "manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products._id.keyword": {
        "name": "products._id.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products._id"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer": {
        "name": "products.manufacturer",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.product_name": {
        "name": "products.product_name",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.taxful_price": {
        "name": "products.taxful_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_unique_products": {
        "name": "total_unique_products",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.country_iso_code": {
        "name": "geoip.country_iso_code",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.taxless_price": {
        "name": "products.taxless_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.base_unit_price": {
        "name": "products.base_unit_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_amount": {
        "name": "products.discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category.keyword": {
        "name": "products.category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name.keyword": {
        "name": "customer_full_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_full_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_last_name.keyword": {
        "name": "customer_last_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_last_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name.keyword": {
        "name": "customer_first_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_first_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_percentage": {
        "name": "products.discount_percentage",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer.keyword": {
        "name": "products.manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_name.keyword": {
        "name": "products.product_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.product_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.unit_discount_amount": {
        "name": "products.unit_discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzUsMV0=",
    "typeMeta": {},
    "fieldAttrs": {
      "products.price": {
        "count": 1
      },
      "total_quantity": {
        "count": 1
      },
      "products.manufacturer": {
        "count": 1
      },
      "products.product_name": {
        "count": 1
      }
    },
    "namespaces": [
      "default"
    ],
    "allowNoIndex": false,
    "fieldFormats": {
      "products.price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.min_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxful_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      },
      "products.base_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxless_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxful_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxless_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.base_unit_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "order_date",
    "runtimeFieldMap": {}
  }
}

Update a data view

POST /api/data_views/data_view/{viewId}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • data_view object Required

    The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.

    Hide data_view attributes Show data_view attributes object
    • allowNoIndex boolean

      Allows the data view saved object to exist before the data is available.

    • fieldFormats object

      A map of field formats by field name.

    • fields object
    • name string
    • runtimeFieldMap object
      Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Hide * attributes Show * attributes object
        • script object Required
          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • timeFieldName string

      The timestamp field name, which you use for time-based data views.

    • title string

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

      • params object Required

        Properties for retrieving rollup fields.

  • refresh_fields boolean

    Reloads the data view fields after the data view is updated.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data_view object
      Hide data_view attributes Show data_view attributes object
      • allowNoIndex boolean

        Allows the data view saved object to exist before the data is available.

      • fieldAttrs object
        Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Hide * attributes Show * attributes object
      • fieldFormats object

        A map of field formats by field name.

      • fields object
      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • runtimeFieldMap object
        Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Hide * attributes Show * attributes object
          • script object Required
            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • timeFieldName string

        The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

        • params object

          Properties for retrieving rollup fields.

      • version string
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId} 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"Kibana Sample Data eCommerce","title":"kibana_sample_data_ecommerce","allowNoIndex":false,"timeFieldName":"order_date"},"refresh_fields":true}'
Request example 
{
  "data_view": {
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "allowNoIndex": false,
    "timeFieldName": "order_date"
  },
  "refresh_fields": true
}

Get a runtime field

GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Api key auth Basic auth

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 404 application/json

    Object is not found.

    Hide response attributes Show response attributes object
GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName} 
curl \
 --request GET 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "fields": [
    {
      "name": "hour_of_day",
      "type": "number",
      "count": 0,
      "esTypes": [
        "long"
      ],
      "scripted": false,
      "searchable": true,
      "aggregatable": true,
      "runtimeField": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      },
      "shortDotsEnable": false,
      "readFromDocValues": false
    }
  ],
  "data_view": {
    "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
    "name": "Kibana Sample Data Flights",
    "title": "kibana_sample_data_flights",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Dest": {
        "name": "Dest",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "Origin": {
        "name": "Origin",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Carrier": {
        "name": "Carrier",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Cancelled": {
        "name": "Cancelled",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightNum": {
        "name": "FlightNum",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "dayOfWeek": {
        "name": "dayOfWeek",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "timestamp": {
        "name": "timestamp",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestRegion": {
        "name": "DestRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestCountry": {
        "name": "DestCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestWeather": {
        "name": "DestWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelay": {
        "name": "FlightDelay",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "hour_of_day": {
        "name": "hour_of_day",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "00"
          }
        },
        "esTypes": [
          "long"
        ],
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "runtimeField": {
          "type": "long",
          "script": {
            "source": "emit(doc['timestamp'].value.getHour());"
          }
        },
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "DestCityName": {
        "name": "DestCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestLocation": {
        "name": "DestLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginRegion": {
        "name": "OriginRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestAirportID": {
        "name": "DestAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceMiles": {
        "name": "DistanceMiles",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeMin": {
        "name": "FlightTimeMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCountry": {
        "name": "OriginCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginWeather": {
        "name": "OriginWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "AvgTicketPrice": {
        "name": "AvgTicketPrice",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayMin": {
        "name": "FlightDelayMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeHour": {
        "name": "FlightTimeHour",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCityName": {
        "name": "OriginCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginLocation": {
        "name": "OriginLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayType": {
        "name": "FlightDelayType",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginAirportID": {
        "name": "OriginAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceKilometers": {
        "name": "DistanceKilometers",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzM2LDJd",
    "fieldAttrs": {},
    "allowNoIndex": false,
    "fieldFormats": {
      "hour_of_day": {
        "id": "number",
        "params": {
          "pattern": "00"
        }
      },
      "AvgTicketPrice": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "timestamp",
    "runtimeFieldMap": {
      "hour_of_day": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      }
    }
  }
}

Update a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Api key auth Basic auth

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • runtimeField object Required

    The runtime field definition object.

    You can update following fields:

    • type
    • script

Responses

  • 200

    Indicates a successful call.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName} 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}'
Request example 
{
  "runtimeField": {
    "script": {
      "source": "emit(doc[\"bar\"].value)"
    }
  }
}

Swap saved object references

POST /api/data_views/swap_references
Api key auth Basic auth

Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • delete boolean

    Deletes referenced saved object if all references are removed.

  • forId string | array[string]

    Limit the affected saved objects to one or more by identifier.

    One of:
    string-1 string array-2 array[string]
  • forType string

    Limit the affected saved objects by type.

  • fromId string Required

    The saved object reference to change.

  • fromType string

    Specify the type of the saved object reference to alter. The default value is index-pattern for data views.

  • toId string Required

    New saved object reference value to replace the old value.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
POST /api/data_views/swap_references 
curl \
 --request POST 'https://localhost:5601/api/data_views/swap_references' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"toId":"xyz-123","delete":true,"fromId":"abcd-efg"}'
Request example 
{
  "toId": "xyz-123",
  "delete": true,
  "fromId": "abcd-efg"
}

Sync saved objects in the default space

GET /api/ml/saved_objects/sync
Api key auth Basic auth

Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have all privileges for the Machine Learning feature in the Analytics section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.

Query parameters

  • simulate boolean

    When true, simulates the synchronization by returning only the list of actions that would be performed.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • datafeedsAdded object

      If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.

      Hide datafeedsAdded attribute Show datafeedsAdded attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • datafeedsRemoved object

      If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.

      Hide datafeedsRemoved attribute Show datafeedsRemoved attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • savedObjectsCreated object

      If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.

      Hide savedObjectsCreated attributes Show savedObjectsCreated attributes object
      • anomaly-detector object

        If saved objects are missing for anomaly detection jobs, they are created.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • data-frame-analytics object

        If saved objects are missing for data frame analytics jobs, they are created.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • trained-model object

        If saved objects are missing for trained models, they are created.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

    • savedObjectsDeleted object

      If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.

      Hide savedObjectsDeleted attributes Show savedObjectsDeleted attributes object
      • anomaly-detector object

        If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • data-frame-analytics object

        If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • trained-model object

        If there are saved objects exist for nonexistent trained models, they are deleted.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/ml/saved_objects/sync 
curl \
 --request GET 'https://localhost:5601/api/ml/saved_objects/sync' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "datafeedsAdded": {},
  "datafeedsRemoved": {},
  "savedObjectsCreated": {
    "anomaly-detector": {
      "myjob1": {
        "success": true
      },
      "myjob2": {
        "success": true
      }
    }
  },
  "savedObjectsDeleted": {}
}

Get a role

GET /api/security/role/{name}
Api key auth Basic auth

Path parameters

  • name string Required

    The role name.

    Minimum length is 1.

Query parameters

  • replaceDeprecatedPrivileges boolean

    If true and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/security/role/{name} 
curl \
 --request GET 'https://localhost:5601/api/security/role/{name}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "name": "my_kibana_role",
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.",
  "elasticsearch": {
    "run_as": [],
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ]
  },
  "_transform_error": [],
  "transient_metadata": {
    "enabled": true
  },
  "_unrecognized_applications": []
}

Create or update roles

POST /api/security/roles
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • roles object Required
    Hide roles attribute Show roles attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
      • description string

        A description for the role.

        Maximum length is 2048.

      • elasticsearch object Required

        Additional properties are NOT allowed.

        Hide elasticsearch attributes Show elasticsearch attributes object
        • cluster array[string]

          Cluster privileges that define the cluster level actions that users can perform.

        • indices array[object]
          Hide indices attributes Show indices attributes object
          • allow_restricted_indices boolean

            Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.

          • field_security object
            Hide field_security attribute Show field_security attribute object
            • * array[string] Additional properties

              The document fields that the role members have read access to.

          • names array[string] Required

            The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).

            At least 1 element.

          • privileges array[string] Required

            The index level privileges that the role members have for the data streams and indices.

            At least 1 element.

          • query string

            A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

        • remote_cluster array[object]
          Hide remote_cluster attributes Show remote_cluster attributes object
          • clusters array[string] Required

            A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

            At least 1 element.

          • privileges array[string] Required

            The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.

            At least 1 element.

        • remote_indices array[object]
          Hide remote_indices attributes Show remote_indices attributes object
          • allow_restricted_indices boolean

            Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.

          • clusters array[string] Required

            A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

            At least 1 element.

          • field_security object
            Hide field_security attribute Show field_security attribute object
            • * array[string] Additional properties

              The document fields that the role members have read access to.

          • names array[string] Required

            A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).

            At least 1 element.

          • privileges array[string] Required

            The index level privileges that role members have for the specified indices.

            At least 1 element.

          • query string

            A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

        • run_as array[string]

          A user name that the role member can impersonate.

      • kibana array[object]
        Hide kibana attributes Show kibana attributes object
      • metadata object

        Additional properties are allowed.

Responses

  • 200

    Indicates a successful call.

POST /api/security/roles 
curl \
 --request POST 'https://localhost:5601/api/security/roles' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"roles":{"additionalProperty1":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}},"additionalProperty2":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}}}'

Saved objects

Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.

To manage a specific type of saved object, use the corresponding APIs. For example, use:

Warning: Do not write documents directly to the .kibana index. When you write directly to the .kibana index, the data becomes corrupted and permanently breaks future Kibana versions

Get saved objects Deprecated

POST /api/saved_objects/_bulk_get
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

object object

Responses

  • 200 application/json

    Indicates a successful call.
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_get 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_bulk_get' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'

Resolve saved objects Deprecated

POST /api/saved_objects/_bulk_resolve
Api key auth Basic auth

Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

object object

Responses

  • 200 application/json

    Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_resolve 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_bulk_resolve' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'

Update saved objects Deprecated

POST /api/saved_objects/_bulk_update
Api key auth Basic auth

Update the attributes for multiple Kibana saved objects.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

object object

Responses

  • 200 application/json

    Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_update 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_bulk_update' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'

Export saved objects

POST /api/saved_objects/_export
Api key auth Basic auth

Retrieve sets of saved objects that you want to import into Kibana. You must include type or objects in the request body.

Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.

NOTE: The savedObjects.maxImportExportSize configuration setting limits the number of saved objects which may be exported.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

Responses

  • 200 application/x-ndjson

    Indicates a successful call.

    Additional properties are allowed.
  • 400 application/json

    Bad request.

    Hide response attributes Show response attributes object
POST /api/saved_objects/_export 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_export' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"objects":[{"id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","type":"map"}],"excludeExportDetails":true,"includeReferencesDeep":false}'
Request example 
{
  "objects": [
    {
      "id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
      "type": "map"
    }
  ],
  "excludeExportDetails": true,
  "includeReferencesDeep": false
}
Response examples (200) 
{
  "id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
  "type": "map",
  "managed": false,
  "version": "WzEzLDFd",
  "attributes": {
    "title": "[Logs] Total Requests and Bytes",
    "description": "",
    "uiStateJSON": "{\"isDarkMode\":false}",
    "mapStateJSON": "{\"zoom\":3.64,\"center\":{\"lon\":-88.92107,\"lat\":42.16337},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"settings\":{\"autoFitToDataBounds\":false}}",
    "layerListJSON": "[{\"id\":\"0hmz5\",\"alpha\":1,\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"visible\":true,\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"minZoom\":0,\"maxZoom\":24},{\"id\":\"edh66\",\"label\":\"Total Requests by Destination\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.5,\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\",\"iso2\"]},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e\",\"origin\":\"join\"},\"color\":\"Greys\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":10}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\",\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"673ff994-fc75-4c67-909b-69fcb0e1060e\",\"indexPatternTitle\":\"kibana_sample_data_logs\",\"term\":\"geo.dest\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"}],\"applyGlobalQuery\":true}}]},{\"id\":\"gaxya\",\"label\":\"Actual Requests\",\"minZoom\":9,\"maxZoom\":24,\"alpha\":1,\"sourceDescriptor\":{\"id\":\"b7486535-171b-4d3b-bb2e-33c1a0a2854c\",\"type\":\"ES_SEARCH\",\"geoField\":\"geo.coordinates\",\"limit\":2048,\"filterByMapBounds\":true,\"tooltipProperties\":[\"clientip\",\"timestamp\",\"host\",\"request\",\"response\",\"machine.os\",\"agent\",\"bytes\"],\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#2200ff\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"bytes\",\"origin\":\"source\"},\"minSize\":1,\"maxSize\":23,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"},{\"id\":\"tfi3f\",\"label\":\"Total Requests and Bytes\",\"minZoom\":0,\"maxZoom\":9,\"alpha\":1,\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"resolution\":\"COARSE\",\"id\":\"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b\",\"geoField\":\"geo.coordinates\",\"requestType\":\"point\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"},{\"type\":\"sum\",\"field\":\"bytes\"}],\"indexPatternRefName\":\"layer_3_source_index_pattern\",\"applyGlobalQuery\":true},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#cccccc\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"sum_of_bytes\",\"origin\":\"source\"},\"minSize\":7,\"maxSize\":25,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":12,\"maxSize\":24,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"}]"
  },
  "created_at": "2023-08-23T20:03:32.204Z",
  "references": [
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_1_join_0_index_pattern",
      "type": "index-pattern"
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_2_source_index_pattern",
      "type": "index-pattern"
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_3_source_index_pattern",
      "type": "index-pattern"
    }
  ],
  "updated_at": "2023-08-23T20:03:32.204Z",
  "coreMigrationVersion": "8.8.0",
  "typeMigrationVersion": "8.4.0"
}

Resolve import errors

POST /api/saved_objects/_resolve_import_errors
Api key auth Basic auth

To resolve errors from the Import objects API, you can:

  • Retry certain saved objects
  • Overwrite specific saved objects
  • Change references to different saved objects

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • compatibilityMode boolean

    Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the createNewCopies option.

  • createNewCopies boolean

    Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors.

multipart/form-data

Body Required

  • file string(binary)

    The same file given to the import API.

  • retries array[object] Required

    The retry operations, which can specify how to resolve different types of errors.

    Hide retries attributes Show retries attributes object
    • destinationId string

      Specifies the destination ID that the imported object should have, if different from the current ID.

    • id string Required

      The saved object ID.

    • ignoreMissingReferences boolean

      When set to true, ignores missing reference errors. When set to false, does nothing.

    • overwrite boolean

      When set to true, the source object overwrites the conflicting destination object. When set to false, does nothing.

    • replaceReferences array[object]

      A list of type, from, and to used to change the object references.

      Hide replaceReferences attributes Show replaceReferences attributes object
    • type string Required

      The saved object type.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • errors array[object]

      Specifies the objects that failed to resolve.

      NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a missing_references error and a conflict error.

    • success boolean

      Indicates a successful import. When set to false, some objects may not have been created. For additional information, refer to the errors and successResults properties.

    • successCount number

      Indicates the number of successfully resolved records.

    • successResults array[object]

      Indicates the objects that are successfully imported, with any metadata if applicable.

      NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references.
  • 400 application/json

    Bad request.

    Hide response attributes Show response attributes object
POST /api/saved_objects/_resolve_import_errors 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_resolve_import_errors' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: string" \
 --form "file=file.ndjson" \
 --form "retries[]={"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}" \
 --form "retries[]={"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}" \
 --form "retries[]={"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}" \
 --form "retries[]={"id"=>"my-dashboard", "type"=>"dashboard"}"
Request example 
{"file"=>"file.ndjson", "retries"=>[{"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}, {"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}, {"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}, {"id"=>"my-dashboard", "type"=>"dashboard"}]}
Response examples (200) 
{
  "success": true,
  "successCount": 3,
  "successResults": [
    {
      "id": "my-vis",
      "meta": {
        "icon": "visualizeApp",
        "title": "Look at my visualization"
      },
      "type": "visualization"
    },
    {
      "id": "my-search",
      "meta": {
        "icon": "searchApp",
        "title": "Look at my search"
      },
      "type": "search"
    },
    {
      "id": "my-dashboard",
      "meta": {
        "icon": "dashboardApp",
        "title": "Look at my dashboard"
      },
      "type": "dashboard"
    }
  ]
}

Create a saved object Deprecated

POST /api/saved_objects/{type}/{id}
Api key auth Basic auth

Create a Kibana saved object and specify its identifier instead of using a randomly generated ID.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • id string Required

    An identifier for the saved object.

  • type string Required

    Valid options include visualization, dashboard, search, index-pattern, config.

Query parameters

  • overwrite boolean

    If true, overwrites the document with the same identifier.

application/json

Body Required

  • attributes object Required

    The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.

  • initialNamespaces array

    Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.

  • references array

    Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.

Responses

  • 200 application/json

    Indicates a successful call.
  • 409 application/json

    Indicates a conflict error.
POST /api/saved_objects/{type}/{id} 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/{type}/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"attributes":{},"initialNamespaces":[],"references":[]}'

Resolve a saved object Deprecated

GET /api/saved_objects/resolve/{type}/{id}
Api key auth Basic auth

Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID.

Path parameters

  • id string Required

    An identifier for the saved object.

  • type string Required

    Valid options include visualization, dashboard, search, index-pattern, config.

Responses

  • 200 application/json

    Indicates a successful call.
  • 400 application/json

    Bad request.

    Hide response attributes Show response attributes object
GET /api/saved_objects/resolve/{type}/{id} 
curl \
 --request GET 'https://localhost:5601/api/saved_objects/resolve/{type}/{id}' \
 --header "Authorization: $API_KEY"

Get prompts

GET /api/security_ai_assistant/prompts/_find
Api key auth Basic auth

Get a list of all prompts.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • sort_field string

    Field to sort by

    Values are created_at, is_default, name, or updated_at.

  • sort_order string

    Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Prompts per page

    Minimum value is 0. Default value is 20.

Responses

GET /api/security_ai_assistant/prompts/_find 
curl \
 --request GET 'https://localhost:5601/api/security_ai_assistant/prompts/_find' \
 --header "Authorization: $API_KEY"

Security detections

Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the Alerts page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.

This API supports both key-based authentication and basic authentication.

To use key-based authentication, create an API key, then specify the key in the header of your API calls.

To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges.

In both cases, the API key is subsequently used for authorization when the rule runs.

If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.

If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.

To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the Detections requirements for a complete list of requirements.

Delete multiple detection rules Deprecated

POST /api/detection_engine/rules/_bulk_delete
Api key auth Basic auth

Delete detection rules in bulk.

This API is deprecated and will be removed in Kibana v9.0.

application/json

Body Required

A JSON array of id or rule_id fields of the rules you want to delete.

  • id string(uuid)

    A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

  • rule_id string

    A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object Security_Detections_API_ErrorSchema object
    Hide attributes Show attributes
    • actions array[object] Required

      Array defining the automated actions (notifications) taken when alerts are generated.

      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications, can be:

        • .slack
        • .slack_api
        • .email
        • .index
        • .pagerduty
        • .swimlane
        • .webhook
        • .servicenow
        • .servicenow-itom
        • .servicenow-sir
        • .jira
        • .resilient
        • .opsgenie
        • .teams
        • .torq
        • .tines
        • .d3security
      • alerts_filter object

        Object containing an action’s conditional filters.

        • timeframe (object, optional): Object containing the time frame for when this action can be run.
          • days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.
          • hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.
            • start (string, required): Start time in hh:mm format.
            • end (string, required): End time in hh:mm format.
          • timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
        • query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
          • kql (string, required): A KQL string.
          • filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

        Additional properties are allowed.

      • frequency object

        The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          Defines how often rules run actions.

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:
          string-1 string | null string-2 string | null

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        For Slack:

        • message (string, required): The notification message.

        For email:

        • to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
        • subject (string, optional): Email subject line.
        • message (string, required): Email body text.

        For Webhook:

        • body (string, required): JSON payload.

        For PagerDuty:

        • severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
        • eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
        • dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
        • timestamp (DateTime, optional): ISO-8601 format timestamp.
        • component (string, optional): Source machine component responsible for the event, for example security-solution.
        • group (string, optional): Enables logical grouping of service components.
        • source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
        • summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
        • class (string, optional): Value indicating the class/type of the event.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • alias_purpose string

      Values are savedObjectConversion or savedObjectImport.

    • alias_target_id string
    • author array[string] Required

      The rule’s author.

    • building_block_type string

      Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

    • description string Required

      The rule’s description.

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled. Defaults to true.

    • exceptions_list array[object] Required

      Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        ID of the exception container

        Minimum length is 1.

      • list_id string(nonempty) Required

        List ID of the exception container

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required

      String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • investigation_fields object

      Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

      This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

      Minimum value is 1. Default value is 100.

    • meta object

      Placeholder for metadata about the rule.

      This field is overwritten when you save changes to the rule’s settings.

      Additional properties are allowed.

    • name string Required

      A human-readable name for the rule.

      Minimum length is 1.

    • namespace string

      Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required

      Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

    • related_integrations array[object] Required

      Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

      NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

      Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

      • package: name of the package (required, unique id)
      • version: version of the package (required, semver-compatible)
      • integration: name of the integration of this package (optional, id within the package)

      There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

      Hide related_integrations attributes Show related_integrations attributes object
      • integration string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • package string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • version string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • required_fields array[object] Required

      Elasticsearch fields and their types that need to be present for the rule to function.

      The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

      Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

      Hide required_fields attributes Show required_fields attributes object
      • name string(nonempty) Required

        Name of an Elasticsearch field

        Minimum length is 1.

      • type string(nonempty) Required

        Type of the Elasticsearch field

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
      Hide attributes Show attributes
      • action_type_id string Required

        Value is .osquery.

      • params object Required
        Hide params attributes Show params attributes object
        • ecs_mapping object

          Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

          Hide ecs_mapping attribute Show ecs_mapping attribute object
        • pack_id string

          To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

        • queries array[object]
          Hide queries attributes Show queries attributes object
        • query string

          To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

        • saved_query_id string

          To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

        • timeout number

          A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

    • risk_score integer Required

      A numerical representation of the alert's severity from 0 to 100, where:

      • 0 - 21 represents low severity
      • 22 - 47 represents medium severity
      • 48 - 73 represents high severity
      • 74 - 100 represents critical severity

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
      • field string Required

        Source event field used to override the default risk_score.

      • operator string Required

        Value is equals.

      • risk_score integer

        A numerical representation of the alert's severity from 0 to 100, where:

        • 0 - 21 represents low severity
        • 22 - 47 represents medium severity
        • 48 - 73 represents high severity
        • 74 - 100 represents critical severity

        Minimum value is 0, maximum value is 100.

      • value string Required
    • rule_name_override string

      Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

    • setup string Required

      Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

    • severity string Required

      Severity level of alerts produced by the rule, which must be one of the following:

      • low: Alerts that are of interest but generally not considered to be security incidents
      • medium: Alerts that require investigation
      • high: Alerts that require immediate investigation
      • critical: Alerts that indicate it is highly likely a security incident has occurred

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required

        Source event field used to override the default severity.

      • operator string Required

        Value is equals.

      • severity string Required

        Severity level of alerts produced by the rule, which must be one of the following:

        • low: Alerts that are of interest but generally not considered to be security incidents
        • medium: Alerts that require investigation
        • high: Alerts that require immediate investigation
        • critical: Alerts that indicate it is highly likely a security incident has occurred

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required


      Currently, only threats described using the MITRE ATT&CK™ framework are supported.

      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Object containing information on the attack type

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique.

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:
      string-1 string | null string-2 string | null

      Values are no_actions or rule.

    • timeline_id string

      Timeline template ID

    • timeline_title string

      Timeline template title

    • timestamp_override string

      Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

    • timestamp_override_fallback_disabled boolean

      Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      • For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).
      • For custom rules it is set to 1 when the rule is created.

      It is not incremented on each update. Compare this to the revision field.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • execution_summary object

      Summary of the last execution of a rule.

      This field is under development and its usage or schema may change

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required
        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required
          Hide metrics attributes Show metrics attributes object
          • execution_gap_duration_s integer

            Duration in seconds of execution gap

            Minimum value is 0.

          • gap_range object

            Range of the execution gap

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • total_enrichment_duration_ms integer

            Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • total_indexing_duration_ms integer

            Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • total_search_duration_ms integer

            Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      The rule's revision number.

      It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

      Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

      Minimum value is 0.

    • rule_id string Required

      A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:
      Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      Query used by the rule to create alerts.

      • For indicator match rules, only the query’s results are used to determine whether an alert is generated.
      • ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
    • type string Required

      Rule type

      Value is eql.

    • alert_suppression object

      Defines alert suppression configuration.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object
        Hide duration attributes Show duration attributes object
        • unit string Required

          Time unit

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • missing_fields_strategy string

        Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • data_view_id string
    • event_category_override string
    • filters array

      The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

      This field is not supported for ES|QL rules.

    • index array[string]

      Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

      This field is not supported for ES|QL rules.

    • tiebreaker_field string

      Sets a secondary field for sorting events

    • timestamp_field string

      Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/rules/_bulk_delete 
curl \
 --request POST 'https://localhost:5601/api/detection_engine/rules/_bulk_delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '[{"rule_id":"process_started_by_ms_office_program_possible_payload"},{"id":"51658332-a15e-4c9e-912a-67214e2e2359"}]'
Request example 
[
  {
    "rule_id": "process_started_by_ms_office_program_possible_payload"
  },
  {
    "id": "51658332-a15e-4c9e-912a-67214e2e2359"
  }
]

Delete multiple detection rules Deprecated

DELETE /api/detection_engine/rules/_bulk_delete
Api key auth Basic auth

Delete detection rules in bulk.

This API is deprecated and will be removed in Kibana v9.0.

application/json

Body Required

A JSON array of id or rule_id fields of the rules you want to delete.

  • id string(uuid)

    A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

  • rule_id string

    A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object Security_Detections_API_ErrorSchema object
    Hide attributes Show attributes
    • actions array[object] Required

      Array defining the automated actions (notifications) taken when alerts are generated.

      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications, can be:

        • .slack
        • .slack_api
        • .email
        • .index
        • .pagerduty
        • .swimlane
        • .webhook
        • .servicenow
        • .servicenow-itom
        • .servicenow-sir
        • .jira
        • .resilient
        • .opsgenie
        • .teams
        • .torq
        • .tines
        • .d3security
      • alerts_filter object

        Object containing an action’s conditional filters.

        • timeframe (object, optional): Object containing the time frame for when this action can be run.
          • days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.
          • hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.
            • start (string, required): Start time in hh:mm format.
            • end (string, required): End time in hh:mm format.
          • timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
        • query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
          • kql (string, required): A KQL string.
          • filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

        Additional properties are allowed.

      • frequency object

        The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          Defines how often rules run actions.

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:
          string-1 string | null string-2 string | null

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        For Slack:

        • message (string, required): The notification message.

        For email:

        • to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
        • subject (string, optional): Email subject line.
        • message (string, required): Email body text.

        For Webhook:

        • body (string, required): JSON payload.

        For PagerDuty:

        • severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
        • eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
        • dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
        • timestamp (DateTime, optional): ISO-8601 format timestamp.
        • component (string, optional): Source machine component responsible for the event, for example security-solution.
        • group (string, optional): Enables logical grouping of service components.
        • source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
        • summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
        • class (string, optional): Value indicating the class/type of the event.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • alias_purpose string

      Values are savedObjectConversion or savedObjectImport.

    • alias_target_id string
    • author array[string] Required

      The rule’s author.

    • building_block_type string

      Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

    • description string Required

      The rule’s description.

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled. Defaults to true.

    • exceptions_list array[object] Required

      Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        ID of the exception container

        Minimum length is 1.

      • list_id string(nonempty) Required

        List ID of the exception container

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required

      String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • investigation_fields object

      Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

      This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

      Minimum value is 1. Default value is 100.

    • meta object

      Placeholder for metadata about the rule.

      This field is overwritten when you save changes to the rule’s settings.

      Additional properties are allowed.

    • name string Required

      A human-readable name for the rule.

      Minimum length is 1.

    • namespace string

      Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required

      Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

    • related_integrations array[object] Required

      Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

      NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

      Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

      • package: name of the package (required, unique id)
      • version: version of the package (required, semver-compatible)
      • integration: name of the integration of this package (optional, id within the package)

      There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

      Hide related_integrations attributes Show related_integrations attributes object
      • integration string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • package string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • version string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • required_fields array[object] Required

      Elasticsearch fields and their types that need to be present for the rule to function.

      The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

      Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

      Hide required_fields attributes Show required_fields attributes object
      • name string(nonempty) Required

        Name of an Elasticsearch field

        Minimum length is 1.

      • type string(nonempty) Required

        Type of the Elasticsearch field

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
      Hide attributes Show attributes
      • action_type_id string Required

        Value is .osquery.

      • params object Required
        Hide params attributes Show params attributes object
        • ecs_mapping object

          Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

          Hide ecs_mapping attribute Show ecs_mapping attribute object
        • pack_id string

          To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

        • queries array[object]
          Hide queries attributes Show queries attributes object
        • query string

          To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

        • saved_query_id string

          To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

        • timeout number

          A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

    • risk_score integer Required

      A numerical representation of the alert's severity from 0 to 100, where:

      • 0 - 21 represents low severity
      • 22 - 47 represents medium severity
      • 48 - 73 represents high severity
      • 74 - 100 represents critical severity

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
      • field string Required

        Source event field used to override the default risk_score.

      • operator string Required

        Value is equals.

      • risk_score integer

        A numerical representation of the alert's severity from 0 to 100, where:

        • 0 - 21 represents low severity
        • 22 - 47 represents medium severity
        • 48 - 73 represents high severity
        • 74 - 100 represents critical severity

        Minimum value is 0, maximum value is 100.

      • value string Required
    • rule_name_override string

      Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

    • setup string Required

      Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

    • severity string Required

      Severity level of alerts produced by the rule, which must be one of the following:

      • low: Alerts that are of interest but generally not considered to be security incidents
      • medium: Alerts that require investigation
      • high: Alerts that require immediate investigation
      • critical: Alerts that indicate it is highly likely a security incident has occurred

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required

        Source event field used to override the default severity.

      • operator string Required

        Value is equals.

      • severity string Required

        Severity level of alerts produced by the rule, which must be one of the following:

        • low: Alerts that are of interest but generally not considered to be security incidents
        • medium: Alerts that require investigation
        • high: Alerts that require immediate investigation
        • critical: Alerts that indicate it is highly likely a security incident has occurred

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required


      Currently, only threats described using the MITRE ATT&CK™ framework are supported.

      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Object containing information on the attack type

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique.

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:
      string-1 string | null string-2 string | null

      Values are no_actions or rule.

    • timeline_id string

      Timeline template ID

    • timeline_title string

      Timeline template title

    • timestamp_override string

      Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

    • timestamp_override_fallback_disabled boolean

      Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      • For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).
      • For custom rules it is set to 1 when the rule is created.

      It is not incremented on each update. Compare this to the revision field.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • execution_summary object

      Summary of the last execution of a rule.

      This field is under development and its usage or schema may change

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required
        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required
          Hide metrics attributes Show metrics attributes object
          • execution_gap_duration_s integer

            Duration in seconds of execution gap

            Minimum value is 0.

          • gap_range object

            Range of the execution gap

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • total_enrichment_duration_ms integer

            Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • total_indexing_duration_ms integer

            Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • total_search_duration_ms integer

            Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      The rule's revision number.

      It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

      Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

      Minimum value is 0.

    • rule_id string Required

      A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:
      Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      Query used by the rule to create alerts.

      • For indicator match rules, only the query’s results are used to determine whether an alert is generated.
      • ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
    • type string Required

      Rule type

      Value is eql.

    • alert_suppression object

      Defines alert suppression configuration.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object
        Hide duration attributes Show duration attributes object
        • unit string Required

          Time unit

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • missing_fields_strategy string

        Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • data_view_id string
    • event_category_override string
    • filters array

      The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

      This field is not supported for ES|QL rules.

    • index array[string]

      Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

      This field is not supported for ES|QL rules.

    • tiebreaker_field string

      Sets a secondary field for sorting events

    • timestamp_field string

      Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/detection_engine/rules/_bulk_delete 
curl \
 --request DELETE 'https://localhost:5601/api/detection_engine/rules/_bulk_delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '[{"rule_id":"process_started_by_ms_office_program_possible_payload"},{"id":"51658332-a15e-4c9e-912a-67214e2e2359"}]'
Request example 
[
  {
    "rule_id": "process_started_by_ms_office_program_possible_payload"
  },
  {
    "id": "51658332-a15e-4c9e-912a-67214e2e2359"
  }
]

Patch multiple detection rules Deprecated

PATCH /api/detection_engine/rules/_bulk_update
Api key auth Basic auth

Update specific fields of existing detection rules using the rule_id or id field.

This API is deprecated and will be removed in Kibana v9.0.


When used with API key authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.

If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.

application/json

Body object Required

A JSON array of rules, where each rule contains the required fields.

Any of:
Security_Detections_API_EqlRulePatchFields object Security_Detections_API_QueryRulePatchFields object Security_Detections_API_SavedQueryRulePatchFields object Security_Detections_API_ThresholdRulePatchFields object Security_Detections_API_ThreatMatchRulePatchFields object Security_Detections_API_MachineLearningRulePatchFields object Security_Detections_API_NewTermsRulePatchFields object Security_Detections_API_EsqlRulePatchProps object
  • actions array[object]

    Array defining the automated actions (notifications) taken when alerts are generated.

    Hide actions attributes Show actions attributes object
    • action_type_id string Required

      The action type used for sending notifications, can be:

      • .slack
      • .slack_api
      • .email
      • .index
      • .pagerduty
      • .swimlane
      • .webhook
      • .servicenow
      • .servicenow-itom
      • .servicenow-sir
      • .jira
      • .resilient
      • .opsgenie
      • .teams
      • .torq
      • .tines
      • .d3security
    • alerts_filter object

      Object containing an action’s conditional filters.

      • timeframe (object, optional): Object containing the time frame for when this action can be run.
        • days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.
        • hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.
          • start (string, required): Start time in hh:mm format.
          • end (string, required): End time in hh:mm format.
        • timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
      • query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
        • kql (string, required): A KQL string.
        • filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

      Additional properties are allowed.

    • frequency object

      The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

      Hide frequency attributes Show frequency attributes object
      • notifyWhen string Required

        Defines how often rules run actions.

        Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

      • summary boolean Required

        Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

      • throttle string | null Required

        Defines how often rule actions are taken.

        One of:
        string-1 string | null string-2 string | null

        Values are no_actions or rule.

    • group string

      Optionally groups actions by use cases. Use default for alert notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      For Slack:

      • message (string, required): The notification message.

      For email:

      • to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
      • subject (string, optional): Email subject line.
      • message (string, required): Email body text.

      For Webhook:

      • body (string, required): JSON payload.

      For PagerDuty:

      • severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
      • eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
      • dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
      • timestamp (DateTime, optional): ISO-8601 format timestamp.
      • component (string, optional): Source machine component responsible for the event, for example security-solution.
      • group (string, optional): Enables logical grouping of service components.
      • source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
      • summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
      • class (string, optional): Value indicating the class/type of the event.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • alias_purpose string

    Values are savedObjectConversion or savedObjectImport.

  • alias_target_id string
  • author array[string]

    The rule’s author.

  • building_block_type string

    Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

  • description string

    The rule’s description.

    Minimum length is 1.

  • enabled boolean

    Determines whether the rule is enabled. Defaults to true.

  • exceptions_list array[object]

    Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

    Hide exceptions_list attributes Show exceptions_list attributes object
    • id string(nonempty) Required

      ID of the exception container

      Minimum length is 1.

    • list_id string(nonempty) Required

      List ID of the exception container

      Minimum length is 1.

    • namespace_type string Required

      Determines the exceptions validity in rule's Kibana space

      Values are agnostic or single.

    • type string Required

      The exception type

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

  • false_positives array[string]

    String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

  • from string(date-math)

    Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

  • id string(uuid)

    A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

  • interval string

    Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

  • investigation_fields object

    Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

    Hide investigation_fields attribute Show investigation_fields attribute object
    • field_names array[string(nonempty)] Required

      A string that does not contain only whitespace characters

      At least 1 element. Minimum length of each is 1.

  • license string

    The rule's license.

  • max_signals integer

    Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

    This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

    Minimum value is 1. Default value is 100.

  • meta object

    Placeholder for metadata about the rule.

    This field is overwritten when you save changes to the rule’s settings.

    Additional properties are allowed.

  • name string

    A human-readable name for the rule.

    Minimum length is 1.

  • namespace string

    Has no effect.

  • note string

    Notes to help investigate alerts produced by the rule.

  • outcome string

    Values are exactMatch, aliasMatch, or conflict.

  • output_index string Deprecated

    (deprecated) Has no effect.

  • references array[string]

    Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

  • related_integrations array[object]

    Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

    NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

    Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

    • package: name of the package (required, unique id)
    • version: version of the package (required, semver-compatible)
    • integration: name of the integration of this package (optional, id within the package)

    There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

    Hide related_integrations attributes Show related_integrations attributes object
    • integration string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • package string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • version string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • required_fields array[object]

    Elasticsearch fields and their types that need to be present for the rule to function.

    The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

    Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

    Hide required_fields attributes Show required_fields attributes object
    • name string(nonempty) Required

      Name of an Elasticsearch field

      Minimum length is 1.

    • type string(nonempty) Required

      Type of the Elasticsearch field

      Minimum length is 1.

  • response_actions array[object]
    One of:
    Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
    Hide attributes Show attributes
    • action_type_id string Required

      Value is .osquery.

    • params object Required
      Hide params attributes Show params attributes object
      • ecs_mapping object

        Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

        Hide ecs_mapping attribute Show ecs_mapping attribute object
      • pack_id string

        To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

      • queries array[object]
        Hide queries attributes Show queries attributes object
      • query string

        To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

      • saved_query_id string

        To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

      • timeout number

        A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

  • risk_score integer

    A numerical representation of the alert's severity from 0 to 100, where:

    • 0 - 21 represents low severity
    • 22 - 47 represents medium severity
    • 48 - 73 represents high severity
    • 74 - 100 represents critical severity

    Minimum value is 0, maximum value is 100.

  • risk_score_mapping array[object]

    Overrides generated alerts' risk_score with a value from the source event

    Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • field string Required

      Source event field used to override the default risk_score.

    • operator string Required

      Value is equals.

    • risk_score integer

      A numerical representation of the alert's severity from 0 to 100, where:

      • 0 - 21 represents low severity
      • 22 - 47 represents medium severity
      • 48 - 73 represents high severity
      • 74 - 100 represents critical severity

      Minimum value is 0, maximum value is 100.

    • value string Required
  • rule_id string

    A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

  • rule_name_override string

    Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

  • setup string

    Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

  • severity string

    Severity level of alerts produced by the rule, which must be one of the following:

    • low: Alerts that are of interest but generally not considered to be security incidents
    • medium: Alerts that require investigation
    • high: Alerts that require immediate investigation
    • critical: Alerts that indicate it is highly likely a security incident has occurred

    Values are low, medium, high, or critical.

  • severity_mapping array[object]

    Overrides generated alerts' severity with values from the source event

    Hide severity_mapping attributes Show severity_mapping attributes object
    • field string Required

      Source event field used to override the default severity.

    • operator string Required

      Value is equals.

    • severity string Required

      Severity level of alerts produced by the rule, which must be one of the following:

      • low: Alerts that are of interest but generally not considered to be security incidents
      • medium: Alerts that require investigation
      • high: Alerts that require immediate investigation
      • critical: Alerts that indicate it is highly likely a security incident has occurred

      Values are low, medium, high, or critical.

    • value string Required
  • tags array[string]

    String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

  • threat array[object]


    Currently, only threats described using the MITRE ATT&CK™ framework are supported.

    Hide threat attributes Show threat attributes object
    • framework string Required

      Relevant attack framework

    • tactic object Required

      Object containing information on the attack type

      Hide tactic attributes Show tactic attributes object
      • id string Required

        Tactic ID

      • name string Required

        Tactic name

      • reference string Required

        Tactic reference

    • technique array[object]

      Array containing information on the attack techniques (optional)

      Hide technique attributes Show technique attributes object
      • id string Required

        Technique ID

      • name string Required

        Technique name

      • reference string Required

        Technique reference

      • subtechnique array[object]

        Array containing more specific information on the attack technique.

        Hide subtechnique attributes Show subtechnique attributes object
        • id string Required

          Subtechnique ID

        • name string Required

          Subtechnique name

        • reference string Required

          Subtechnique reference

  • throttle string | null

    Defines how often rule actions are taken.

    One of:
    string-1 string | null string-2 string | null

    Values are no_actions or rule.

  • timeline_id string

    Timeline template ID

  • timeline_title string

    Timeline template title

  • timestamp_override string

    Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

  • timestamp_override_fallback_disabled boolean

    Disables the fallback to the event's @timestamp field

  • to string
  • version integer

    The rule's version number.

    • For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).
    • For custom rules it is set to 1 when the rule is created.

    It is not incremented on each update. Compare this to the revision field.

    Minimum value is 1.

  • language string

    Query language to use

    Value is eql.

  • query string

    Query used by the rule to create alerts.

    • For indicator match rules, only the query’s results are used to determine whether an alert is generated.
    • ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
  • type string

    Rule type

    Value is eql.

  • alert_suppression object

    Defines alert suppression configuration.

    Hide alert_suppression attributes Show alert_suppression attributes object
    • duration object
      Hide duration attributes Show duration attributes object
      • unit string Required

        Time unit

        Values are s, m, or h.

      • value integer Required

        Minimum value is 1.

    • group_by array[string] Required

      At least 1 but not more than 3 elements.

    • missing_fields_strategy string

      Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

      Values are doNotSuppress or suppress.

  • data_view_id string
  • event_category_override string
  • filters array

    The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

    This field is not supported for ES|QL rules.

  • index array[string]

    Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

    This field is not supported for ES|QL rules.

  • tiebreaker_field string

    Sets a secondary field for sorting events

  • timestamp_field string

    Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object Security_Detections_API_ErrorSchema object
    Hide attributes Show attributes
    • actions array[object] Required

      Array defining the automated actions (notifications) taken when alerts are generated.

      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications, can be:

        • .slack
        • .slack_api
        • .email
        • .index
        • .pagerduty
        • .swimlane
        • .webhook
        • .servicenow
        • .servicenow-itom
        • .servicenow-sir
        • .jira
        • .resilient
        • .opsgenie
        • .teams
        • .torq
        • .tines
        • .d3security
      • alerts_filter object

        Object containing an action’s conditional filters.

        • timeframe (object, optional): Object containing the time frame for when this action can be run.
          • days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.
          • hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.
            • start (string, required): Start time in hh:mm format.
            • end (string, required): End time in hh:mm format.
          • timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
        • query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
          • kql (string, required): A KQL string.
          • filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

        Additional properties are allowed.

      • frequency object

        The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          Defines how often rules run actions.

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:
          string-1 string | null string-2 string | null

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        For Slack:

        • message (string, required): The notification message.

        For email:

        • to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
        • subject (string, optional): Email subject line.
        • message (string, required): Email body text.

        For Webhook:

        • body (string, required): JSON payload.

        For PagerDuty:

        • severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
        • eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
        • dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
        • timestamp (DateTime, optional): ISO-8601 format timestamp.
        • component (string, optional): Source machine component responsible for the event, for example security-solution.
        • group (string, optional): Enables logical grouping of service components.
        • source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
        • summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
        • class (string, optional): Value indicating the class/type of the event.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • alias_purpose string

      Values are savedObjectConversion or savedObjectImport.

    • alias_target_id string
    • author array[string] Required

      The rule’s author.

    • building_block_type string

      Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

    • description string Required

      The rule’s description.

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled. Defaults to true.

    • exceptions_list array[object] Required

      Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        ID of the exception container

        Minimum length is 1.

      • list_id string(nonempty) Required

        List ID of the exception container

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required

      String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • investigation_fields object

      Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

      This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

      Minimum value is 1. Default value is 100.

    • meta object

      Placeholder for metadata about the rule.

      This field is overwritten when you save changes to the rule’s settings.

      Additional properties are allowed.

    • name string Required

      A human-readable name for the rule.

      Minimum length is 1.

    • namespace string

      Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required

      Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

    • related_integrations array[object] Required

      Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

      NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

      Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

      • package: name of the package (required, unique id)
      • version: version of the package (required, semver-compatible)
      • integration: name of the integration of this package (optional, id within the package)

      There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

      Hide related_integrations attributes Show related_integrations attributes object
      • integration string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • package string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • version string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • required_fields array[object] Required

      Elasticsearch fields and their types that need to be present for the rule to function.

      The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

      Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

      Hide required_fields attributes Show required_fields attributes object
      • name string(nonempty) Required

        Name of an Elasticsearch field

        Minimum length is 1.

      • type string(nonempty) Required

        Type of the Elasticsearch field

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
      Hide attributes Show attributes
      • action_type_id string Required

        Value is .osquery.

      • params object Required
        Hide params attributes Show params attributes object
        • ecs_mapping object

          Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

          Hide ecs_mapping attribute Show ecs_mapping attribute object
        • pack_id string

          To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

        • queries array[object]
          Hide queries attributes Show queries attributes object
        • query string

          To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

        • saved_query_id string

          To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

        • timeout number

          A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

    • risk_score integer Required

      A numerical representation of the alert's severity from 0 to 100, where:

      • 0 - 21 represents low severity
      • 22 - 47 represents medium severity
      • 48 - 73 represents high severity
      • 74 - 100 represents critical severity

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
      • field string Required

        Source event field used to override the default risk_score.

      • operator string Required

        Value is equals.

      • risk_score integer

        A numerical representation of the alert's severity from 0 to 100, where:

        • 0 - 21 represents low severity
        • 22 - 47 represents medium severity
        • 48 - 73 represents high severity
        • 74 - 100 represents critical severity

        Minimum value is 0, maximum value is 100.

      • value string Required
    • rule_name_override string

      Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

    • setup string Required

      Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

    • severity string Required

      Severity level of alerts produced by the rule, which must be one of the following:

      • low: Alerts that are of interest but generally not considered to be security incidents
      • medium: Alerts that require investigation
      • high: Alerts that require immediate investigation
      • critical: Alerts that indicate it is highly likely a security incident has occurred

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required

        Source event field used to override the default severity.

      • operator string Required

        Value is equals.

      • severity string Required

        Severity level of alerts produced by the rule, which must be one of the following:

        • low: Alerts that are of interest but generally not considered to be security incidents
        • medium: Alerts that require investigation
        • high: Alerts that require immediate investigation
        • critical: Alerts that indicate it is highly likely a security incident has occurred

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required


      Currently, only threats described using the MITRE ATT&CK™ framework are supported.

      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Object containing information on the attack type

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique.

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:
      string-1 string | null string-2 string | null

      Values are no_actions or rule.

    • timeline_id string

      Timeline template ID

    • timeline_title string

      Timeline template title

    • timestamp_override string

      Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

    • timestamp_override_fallback_disabled boolean

      Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      • For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).
      • For custom rules it is set to 1 when the rule is created.

      It is not incremented on each update. Compare this to the revision field.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • execution_summary object

      Summary of the last execution of a rule.

      This field is under development and its usage or schema may change

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required
        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required
          Hide metrics attributes Show metrics attributes object
          • execution_gap_duration_s integer

            Duration in seconds of execution gap

            Minimum value is 0.

          • gap_range object

            Range of the execution gap

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • total_enrichment_duration_ms integer

            Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • total_indexing_duration_ms integer

            Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • total_search_duration_ms integer

            Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      The rule's revision number.

      It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

      Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

      Minimum value is 0.

    • rule_id string Required

      A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:
      Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      Query used by the rule to create alerts.

      • For indicator match rules, only the query’s results are used to determine whether an alert is generated.
      • ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
    • type string Required

      Rule type

      Value is eql.

    • alert_suppression object

      Defines alert suppression configuration.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object
        Hide duration attributes Show duration attributes object
        • unit string Required

          Time unit

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • missing_fields_strategy string

        Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • data_view_id string
    • event_category_override string
    • filters array

      The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

      This field is not supported for ES|QL rules.

    • index array[string]

      Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

      This field is not supported for ES|QL rules.

    • tiebreaker_field string

      Sets a secondary field for sorting events

    • timestamp_field string

      Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
PATCH /api/detection_engine/rules/_bulk_update 
curl \
 --request PATCH 'https://localhost:5601/api/detection_engine/rules/_bulk_update' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '[{"threat":[{"id":"TA0001","name":"Initial Access","tactic":null,"framework":"MITRE ATT\u0026CK","reference":"https://attack.mitre.org/tactics/TA0001","technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https://attack.mitre.org/techniques/T1193"}]}],"rule_id":"process_started_by_ms_office_program_possible_payload"},{"id":"56b22b65-173e-4a5b-b27a-82599cb1433e","name":"New name"}]'
Request example 
[
  {
    "threat": [
      {
        "id": "TA0001",
        "name": "Initial Access",
        "tactic": null,
        "framework": "MITRE ATT&CK",
        "reference": "https://attack.mitre.org/tactics/TA0001",
        "technique": [
          {
            "id": "T1193",
            "name": "Spearphishing Attachment",
            "reference": "https://attack.mitre.org/techniques/T1193"
          }
        ]
      }
    ],
    "rule_id": "process_started_by_ms_office_program_possible_payload"
  },
  {
    "id": "56b22b65-173e-4a5b-b27a-82599cb1433e",
    "name": "New name"
  }
]

Find and/or aggregate detection alerts

POST /api/detection_engine/signals/search
Api key auth Basic auth

Find and/or aggregate detection alerts that match the given query.

application/json

Body Required

Search and/or aggregation query

Responses

POST /api/detection_engine/signals/search 
curl \
 --request POST 'https://localhost:5601/api/detection_engine/signals/search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"aggs":{"missingFields":{"missing":{"field":"host.name"}},"alertsByGrouping":{"terms":{"size":10,"field":"host.name"}}},"size":0,"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"should":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{}}'
Request example 
{
  "aggs": {
    "missingFields": {
      "missing": {
        "field": "host.name"
      }
    },
    "alertsByGrouping": {
      "terms": {
        "size": 10,
        "field": "host.name"
      }
    }
  },
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_phrase": {
                  "kibana.alert.workflow_status": "open"
                }
              }
            ],
            "should": [],
            "must_not": [
              {
                "exists": {
                  "field": "kibana.alert.building_block_type"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2025-01-17T08:00:00.000Z",
              "lte": "2025-01-18T07:59:59.999Z"
            }
          }
        }
      ]
    }
  },
  "runtime_mappings": {}
}
Response examples (200) 
{
  "hits": {
    "hits": [],
    "total": {
      "value": 5,
      "relation": "eq"
    },
    "max_score": null
  },
  "took": 0,
  "_shards": {
    "total": 1,
    "failed": 0,
    "skipped": 0,
    "successful": 1
  },
  "timed_out": false,
  "aggregations": {
    "missingFields": {
      "doc_count": 0
    },
    "alertsByGrouping": {
      "buckets": [
        {
          "key": "Host-f43kkddfyc",
          "doc_count": 5
        }
      ],
      "sum_other_doc_count": 0,
      "doc_count_error_upper_bound": 0
    }
  }
}

Add and remove detection alert tags

POST /api/detection_engine/signals/tags
Api key auth Basic auth

And tags to detection alerts, and remove them from alerts.

You cannot add and remove the same alert tag in the same request.

application/json

Body Required

An object containing tags to add or remove and alert ids the changes will be applied

  • ids array[string(nonempty)] Required

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • tags object Required

    Object with list of tags to add and remove.

    Hide tags attributes Show tags attributes object
    • tags_to_add array[string(nonempty)] Required

      List of keywords to organize related alerts into categories that you can filter and group.

      Minimum length of each is 1.

    • tags_to_remove array[string(nonempty)] Required

      List of keywords to organize related alerts into categories that you can filter and group.

      Minimum length of each is 1.

Responses

POST /api/detection_engine/signals/tags 
curl \
 --request POST 'https://localhost:5601/api/detection_engine/signals/tags' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":["Duplicate"],"tags_to_remove":[]}}'
Request examples 
{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [
      "Duplicate"
    ],
    "tags_to_remove": []
  }
}
{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [],
    "tags_to_remove": [
      "Duplicate"
    ]
  }
}
Response examples (200) 
{
  "took": "68,",
  "noops": "0,",
  "total": "1,",
  "batches": "1,",
  "deleted": "0,",
  "retries": {
    "bulk": "0,",
    "search": 0
  },
  "updated": "1,",
  "failures": [],
  "timed_out": "false,",
  "throttled_millis": "0,",
  "version_conflicts": "0,",
  "requests_per_second": "-1,",
  "throttled_until_millis": "0,"
}

Terminate a process

POST /api/endpoint/action/kill_process
Api key auth Basic auth

Terminate a running process on an endpoint.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    One of:
    object-1 object object-2 object object-3 object
    Hide attribute Show attribute
    • pid integer

      The process ID (PID) of the process to terminate.

      Minimum value is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/kill_process 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/kill_process' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"terminate the process","parameters":{"entity_id":"abc123"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "terminate the process",
  "parameters": {
    "entity_id": "abc123"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "kill-process",
    "comment": "terminate the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  }
}

Security lists

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

  • List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
    • boolean
    • byte
    • date
    • date_nanos
    • date_range
    • double
    • double_range
    • float
    • float_range
    • half_float
    • integer
    • integer_range
    • ip
    • ip_range
    • keyword
    • long
    • long_range
    • short
    • text
  • List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named internal-ip-addresses-southport contains five items, where each item defines one internal IP address:

  1. 192.168.1.1
  2. 192.168.1.3
  3. 192.168.1.18
  4. 192.168.1.12
  5. 192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception list item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's exceptions_list object.

Lists requirements

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.