Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Kibana APIs
1.0.2
Base URL
https://localhost:5601The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with kbn: and run the request in Dev Tools → Console.
For example:
GET kbn:/api/data_views
For more information about the console, refer to Run API requests.
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
Documentation source and versions
This documentation is derived from the 8.18 branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This is version 1.0.2 of this API documentation.
Last update on May 9, 2025.
Authentication
The API accepts 2 different authentication methods:
Basic auth (http)
Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a : colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
Path parameters
-
id
string Required The identifier for the rule.
DELETE
/api/alerting/rule/{id}
curl \
--request DELETE 'https://localhost:5601/api/alerting/rule/{id}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_mute_all
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{id}/_mute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_unmute_all
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{id}/_unmute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
Update an alert
Deprecated
Deprecated in 7.13.0. Use the update rule API instead.
Path parameters
-
alertId
string Required The identifier for the alert.
Body
Required
-
actions
array[object] -
name
string Required A name to reference and search.
-
notifyWhen
string Required The condition for throttling the notification.
Values are
onActionGroupChange,onActiveAlert, oronThrottleInterval. -
params
object Required The parameters to pass to the alert type executor
paramsvalue. This will also validate against the alert type params validator, if defined. -
schedule
object Required The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
-
throttle
string How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of
10mor1hwill prevent it from sending 90 notifications during this period.
PUT
/api/alerts/alert/{alertId}
curl \
--request PUT 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"actions":[{"actionTypeId":"string","group":"string","id":"string","params":{}}],"name":"string","notifyWhen":"onActionGroupChange","params":{},"schedule":{"interval":"1d"},"tags":["string"],"throttle":"string"}'
Disable an alert
Deprecated
Deprecated in 7.13.0. Use the disable rule API instead.
Path parameters
-
alertId
string Required The identifier for the alert.
POST
/api/alerts/alert/{alertId}/_disable
curl \
--request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Mute an alert instance
Deprecated
Deprecated in 7.13.0. Use the mute alert API instead.
Path parameters
-
alertId
string Required An identifier for the alert.
-
alertInstanceId
string Required An identifier for the alert instance.
POST
/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute
curl \
--request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Unmute an alert instance
Deprecated
Deprecated in 7.13.0. Use the unmute alert API instead.
Path parameters
-
alertId
string Required An identifier for the alert.
-
alertInstanceId
string Required An identifier for the alert instance.
POST
/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute
curl \
--request POST 'https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Get the alerting framework health
Deprecated
Deprecated in 7.13.0. Use the get alerting framework health API instead.
GET
/api/alerts/alerts/_health
curl \
--request GET 'https://localhost:5601/api/alerts/alerts/_health' \
--header "Authorization: $API_KEY"APM agent configuration
Adjust APM agent configuration without need to redeploy your application.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
bundle_filepath
string Required The absolute path of the final bundle as used in the web application.
-
service_name
string Required The name of the service that the service map should apply to.
-
service_version
string Required The version of the service that the service map should apply to.
-
sourcemap
string(binary) Required The source map. String or file upload. It must follow the source map revision 3 proposal.
POST
/api/apm/sourcemaps
curl \
--request POST 'https://localhost:5601/api/apm/sourcemaps' \
--header "Authorization: $API_KEY" \
--header "Content-Type: multipart/form-data" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--form "bundle_filepath=string" \
--form "service_name=string" \
--form "service_version=string" \
--form "sourcemap=@file"Create a case
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
Body
Required
-
assignees
array[object] | null An array containing users that are assigned to the case.
Not more than
10elements. -
category
string A word or phrase that categorizes the case.
Maximum length is
50. connector
object Required One of: Cases_connector_properties_noneobject Cases_connector_properties_cases_webhookobject Cases_connector_properties_jiraobject Cases_connector_properties_resilientobject Cases_connector_properties_servicenowobject Cases_connector_properties_servicenow_sirobject Cases_connector_properties_swimlaneobject Defines properties for connectors when type is
.none.-
customFields
array[object] Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
At least
0but not more than10elements. -
description
string Required The description for the case.
Maximum length is
30000. -
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases,observability, orsecuritySolution. -
settings
object Required An object that contains the case settings.
-
severity
string The severity of the case.
Values are
critical,high,low, ormedium. Default value islow. -
title
string Required A title for the case.
Maximum length is
160.
POST
/api/cases
curl \
--request POST 'https://localhost:5601/api/cases' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
Request example
{
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
}
]
}
Response examples (200)
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzUzMiwxXQ==",
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"created_at": "2022-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 0,
"external_service": null
}Delete cases
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
Query parameters
-
ids
array[string] Required The cases that you want to removed. All non-ASCII characters must be URL encoded.
DELETE
/api/cases
curl \
--request DELETE 'https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"Update cases
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.
PATCH
/api/cases
curl \
--request PATCH 'https://localhost:5601/api/cases' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"cases":[{"id":"a18b38a0-71b0-11ea-a0b2-c51ea50a58e2","tags":["tag-1"],"version":"WzIzLDFd","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":null,"issueType":"10006"}},"description":"A case description.","customFields":[{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false},{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"}]}]}'
Request example
{
"cases": [
{
"id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"version": "WzIzLDFd",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": null,
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
},
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
}
]
}
]
}
Response examples (200)
[
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzU0OCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": null,
"issueType": "10006"
}
},
"created_at": "2023-10-13T09:16:17.416Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T09:48:33.043Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
}
],
"totalComment": 0,
"external_service": {
"pushed_at": "2023-10-13T09:20:40.672Z",
"pushed_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"external_id": "10003",
"connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
"external_url": "https://hms.atlassian.net/browse/IS-4",
"connector_name": "Jira",
"external_title": "IS-4"
}
}
]Search cases
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Query parameters
-
assignees
string | array[string] Filters the returned cases by assignees. Valid values are
noneor unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. -
category
string | array[string] Filters the returned cases by category.
-
defaultSearchOperator
string he default operator to use for the simple_query_string.
Default value is
OR. -
from
string Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
-
page
integer The page number to return.
Default value is
1. -
perPage
integer The number of items to return. Limited to 100 items.
Maximum value is
100. Default value is20. -
reporters
string | array[string] Filters the returned cases by the user name of the reporter.
-
search
string An Elasticsearch simple_query_string query that filters the objects in the response.
-
searchFields
string | array[string] The fields to perform the simple_query_string parsed query against.
-
severity
string The severity of the case.
Values are
critical,high,low, ormedium. -
sortField
string Determines which field is used to sort the results.
Values are
createdAt,updatedAt,closedAt,title,category,status, orseverity. Default value iscreatedAt. -
sortOrder
string Determines the sort order.
Values are
ascordesc. Default value isdesc. -
status
string Filters the returned cases by state.
Values are
closed,in-progress, oropen. -
to
string Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
GET
/api/cases/_find
curl \
--request GET 'https://localhost:5601/api/cases/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"page": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title",
"status": "open",
"version": "WzExMCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-12T00:16:36.371Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-12T00:27:58.162Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "Case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
],
"total": 1,
"per_page": 5,
"count_open_cases": 1,
"count_closed_cases": 0,
"count_in_progress_cases": 0
}Get case information
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
Query parameters
-
includeComments
boolean Deprecated Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned.
Default value is
true.
GET
/api/cases/{caseId}
curl \
--request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414' \
--header "Authorization: $API_KEY"
Response examples (200)
Retrieves information about a case including its comments.
{
"id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzM2LDFd",
"category": null,
"comments": [
{
"id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-13T15:40:32.335Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T15:40:32.335Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}{
"id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
"tags": [
"observability",
"tag 1"
],
"owner": "observability",
"title": "Observability case title 1",
"status": "in-progress",
"version": "WzI0NywyXQ==",
"category": null,
"comments": [
{
"id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
"rule": {
"id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
"name": "Observability rule"
},
"type": "alert",
"index": [
".internal.alerts-observability.logs.alerts-default-000001"
],
"owner": "observability",
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"version": "WzY3LDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
},
{
"id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
"type": "user",
"owner": "observability",
"comment": "The first comment.",
"version": "WzcyLDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:57.812Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-11-06T19:29:04.086Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2023-11-06T19:47:55.662Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "An Observability case description.",
"totalAlerts": 1,
"customFields": [],
"totalComment": 1,
"external_service": null
}Delete all case comments and alerts
Deletes all comments and alerts from a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
DELETE
/api/cases/{caseId}/comments
curl \
--request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"Update a case comment or alert
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
Body
object
Required
The update case comment API request body varies depending on whether you are updating an alert or a comment.
Defines properties for case comment requests when type is alert.
alertId
string | array[string] Required The alert identifiers. It is required only when
typeisalert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule;indexmust also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.-
id
string Required The identifier for the comment. To retrieve comment IDs, use the get comments API.
index
string | array[string] Required The alert indices. It is required only when
typeisalert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in thealertIdarray. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.-
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases,observability, orsecuritySolution. -
rule
object Required Technical preview The rule that is associated with the alerts. It is required only when
typeisalert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -
type
string Required Discriminator The type of comment.
Value is
alert. -
version
string Required The current comment version. To retrieve version values, use the get comments API.
PATCH
/api/cases/{caseId}/comments
curl \
--request PATCH 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"user","owner":"cases","comment":"An updated comment.","version":"Wzk1LDFd"}'
Request example
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "An updated comment.",
"version": "Wzk1LDFd"
}
Response examples (200)
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIwNjM2LDFd",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "An updated comment.",
"version": "WzIwNjM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-24T00:37:10.832Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-24T01:27:06.210Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-24T01:27:06.210Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
}
],
"totalComment": 1,
"external_service": null
}
Get cases for an alert
Technical preview
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Path parameters
-
alertId
string Required An identifier for the alert.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/alerts/{alertId}
curl \
--request GET 'https://localhost:5601/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
"title": "security_case"
}
]
Get case status summary
Deprecated
Returns the number of cases that are open, closed, and in progress. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/status
curl \
--request GET 'https://localhost:5601/api/cases/status' \
--header "Authorization: $API_KEY"
GET
/api/actions
curl \
--request GET 'https://localhost:5601/api/actions' \
--header "Authorization: $API_KEY"Body
-
actionTypeId
string Required The connector type identifier.
-
config
object Default value is
{}(empty). Additional properties are allowed. -
name
string Required The display name for the connector.
-
secrets
object Default value is
{}(empty). Additional properties are allowed.
POST
/api/actions/action
curl \
--request POST 'https://localhost:5601/api/actions/action' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"actionTypeId":"string","config":{},"name":"string","secrets":{}}'Delete a data view
WARNING: When you delete a data view, it cannot be recovered.
Path parameters
-
viewId
string Required An identifier for the data view.
DELETE
/api/data_views/data_view/{viewId}
curl \
--request DELETE 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"Get a runtime field
GET
/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
--request GET 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"fields": [
{
"name": "hour_of_day",
"type": "number",
"count": 0,
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
}
],
"data_view": {
"id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
"name": "Kibana Sample Data Flights",
"title": "kibana_sample_data_flights",
"fields": {
"_id": {
"name": "_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_id"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Dest": {
"name": "Dest",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"Origin": {
"name": "Origin",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_index": {
"name": "_index",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_index"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_score": {
"name": "_score",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Carrier": {
"name": "Carrier",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_source": {
"name": "_source",
"type": "_source",
"count": 0,
"format": {
"id": "_source"
},
"esTypes": [
"_source"
],
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Cancelled": {
"name": "Cancelled",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightNum": {
"name": "FlightNum",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"dayOfWeek": {
"name": "dayOfWeek",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"timestamp": {
"name": "timestamp",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestRegion": {
"name": "DestRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestCountry": {
"name": "DestCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestWeather": {
"name": "DestWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelay": {
"name": "FlightDelay",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"hour_of_day": {
"name": "hour_of_day",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "00"
}
},
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
},
"DestCityName": {
"name": "DestCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestLocation": {
"name": "DestLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginRegion": {
"name": "OriginRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestAirportID": {
"name": "DestAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceMiles": {
"name": "DistanceMiles",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeMin": {
"name": "FlightTimeMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCountry": {
"name": "OriginCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginWeather": {
"name": "OriginWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"AvgTicketPrice": {
"name": "AvgTicketPrice",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayMin": {
"name": "FlightDelayMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeHour": {
"name": "FlightTimeHour",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCityName": {
"name": "OriginCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginLocation": {
"name": "OriginLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayType": {
"name": "FlightDelayType",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginAirportID": {
"name": "OriginAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceKilometers": {
"name": "DistanceKilometers",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
}
},
"version": "WzM2LDJd",
"fieldAttrs": {},
"allowNoIndex": false,
"fieldFormats": {
"hour_of_day": {
"id": "number",
"params": {
"pattern": "00"
}
},
"AvgTicketPrice": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
}
},
"sourceFilters": [],
"timeFieldName": "timestamp",
"runtimeFieldMap": {
"hour_of_day": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
}
}
}
}Delete a runtime field from a data view
DELETE
/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
--request DELETE 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
--header "Authorization: $API_KEY"Logstash configuration management
Programmatically integrate with Logstash configuration management.
Do not directly access the .logstash index. The structure of the .logstash index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs.
Query parameters
-
replaceDeprecatedPrivileges
boolean If
trueand the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
GET
/api/security/role
curl \
--request GET 'https://localhost:5601/api/security/role' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"name": "my_kibana_role",
"kibana": [
{
"base": [
"all"
],
"spaces": [
"*"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"description": "My kibana role description",
"elasticsearch": {
"run_as": [],
"cluster": [],
"indices": []
},
"transient_metadata": {
"enabled": true
}
},
{
"name": "my_admin_role",
"kibana": [],
"metadata": {
"version": 1
},
"description": "My admin role description",
"elasticsearch": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"query": "{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}",
"privileges": [
"all"
],
"field_security": {
"grant": [
"title",
"body"
]
}
}
]
},
"transient_metadata": {
"enabled": true
}
}
]
Delete saved objects
Deprecated
WARNING: When you delete a saved object, it cannot be recovered.
Query parameters
-
force
boolean When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation.
POST
/api/saved_objects/_bulk_delete
curl \
--request POST 'https://localhost:5601/api/saved_objects/_bulk_delete' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'Import saved objects
Create sets of Kibana saved objects from a file created by the export API. Saved objects can be imported only into the same version, a newer minor on the same major, or the next major. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
Query parameters
-
createNewCopies
boolean Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the
overwriteandcompatibilityModeoptions. -
overwrite
boolean Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the
createNewCopiesoption. -
compatibilityMode
boolean Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the
createNewCopiesoption.
Body
Required
-
A file exported using the export API. NOTE: The
savedObjects.maxImportExportSizeconfiguration setting limits the number of saved objects which may be included in this file. Similarly, thesavedObjects.maxImportPayloadBytessetting limits the overall size of the file that can be imported.
POST
/api/saved_objects/_import
curl \
-X POST api/saved_objects/_import?createNewCopies=true
-H "kbn-xsrf: true"
--form file=@file.ndjson
Request example
{"file"=>"file.ndjson"}
Response examples (200)
{
"success": true,
"successCount": 1,
"successResults": [
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"meta": {
"icon": "indexPatternApp",
"title": "Kibana Sample Data Logs"
},
"type": "index-pattern",
"managed": false,
"destinationId": "82d2760c-468f-49cf-83aa-b9a35b6a8943"
}
]
}Resolve import errors
To resolve errors from the Import objects API, you can:
- Retry certain saved objects
- Overwrite specific saved objects
- Change references to different saved objects
Query parameters
-
compatibilityMode
boolean Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the
createNewCopiesoption. -
createNewCopies
boolean Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors.
POST
/api/saved_objects/_resolve_import_errors
curl \
--request POST 'https://localhost:5601/api/saved_objects/_resolve_import_errors' \
--header "Authorization: $API_KEY" \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=file.ndjson" \
--form "retries[]={"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}" \
--form "retries[]={"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}" \
--form "retries[]={"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}" \
--form "retries[]={"id"=>"my-dashboard", "type"=>"dashboard"}"
Request example
{"file"=>"file.ndjson", "retries"=>[{"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}, {"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}, {"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}, {"id"=>"my-dashboard", "type"=>"dashboard"}]}
Response examples (200)
{
"success": true,
"successCount": 3,
"successResults": [
{
"id": "my-vis",
"meta": {
"icon": "visualizeApp",
"title": "Look at my visualization"
},
"type": "visualization"
},
{
"id": "my-search",
"meta": {
"icon": "searchApp",
"title": "Look at my search"
},
"type": "search"
},
{
"id": "my-dashboard",
"meta": {
"icon": "dashboardApp",
"title": "Look at my dashboard"
},
"type": "dashboard"
}
]
}
Get a saved object
Deprecated
Retrieve a single Kibana saved object by identifier.
GET
/api/saved_objects/{type}/{id}
curl \
--request GET 'https://localhost:5601/api/saved_objects/{type}/{id}' \
--header "Authorization: $API_KEY"
Update a saved object
Deprecated
Update the attributes for Kibana saved objects.
PUT
/api/saved_objects/{type}/{id}
curl \
--request PUT 'https://localhost:5601/api/saved_objects/{type}/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string"Update a Knowledge Base Entry
Update an existing Knowledge Base Entry by its unique id.
Path parameters
-
id
string(nonempty) Required The unique identifier (
id) of the Knowledge Base Entry to update.Minimum length is
1.
Body
object
Required
-
global
boolean Whether this Knowledge Base Entry is global, defaults to false.
-
name
string Required Name of the Knowledge Base Entry.
-
namespace
string Kibana Space, defaults to 'default' space.
-
users
array[object] Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
Could be any string, not necessarily a UUID.
-
kbResource
string Required Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc.
Values are
security_labsoruser. -
source
string Required Source document name or filepath.
-
text
string Required Knowledge Base Entry content.
-
type
string Required Discriminator Entry type.
Value is
document. -
required
boolean Whether this resource should always be included, defaults to false.
-
vector
object Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings.
PUT
/api/security_ai_assistant/knowledge_base/entries/{id}
curl \
--request PUT 'https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"tags":["password","reset","help","update"],"title":"How to reset a password (updated)","content":"To reset your password, go to the settings page, click 'Reset Password', and follow the instructions."}'
Request example
{
"tags": [
"password",
"reset",
"help",
"update"
],
"title": "How to reset a password (updated)",
"content": "To reset your password, go to the settings page, click 'Reset Password', and follow the instructions."
}
Response examples (200)
{
"id": "12345",
"tags": [
"password",
"reset",
"help",
"update"
],
"title": "How to reset a password (updated)",
"content": "To reset your password, go to the settings page, click 'Reset Password', and follow the instructions."
}
Response examples (400)
{
"error": "Invalid input",
"message": "The 'content' field cannot be empty."
}Deletes a single Knowledge Base Entry using the `id` field
Delete a Knowledge Base Entry by its unique id.
Path parameters
-
id
string(nonempty) Required The unique identifier (
id) of the Knowledge Base Entry to delete.Minimum length is
1.
DELETE
/api/security_ai_assistant/knowledge_base/entries/{id}
curl \
--request DELETE 'https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"id": "12345",
"message": "Knowledge Base Entry successfully deleted."
}
Response examples (400)
{
"error": "Not Found",
"message": "No Knowledge Base Entry found with the provided `id`."
}Apply a bulk action to prompts
Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations.
POST
/api/security_ai_assistant/prompts/_bulk_action
curl \
--request POST 'https://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"create":[{"name":"New Security Prompt","content":"Please verify the security settings.","promptType":"system"}],"delete":{"ids":["prompt1","prompt2"]},"update":[{"id":"prompt123","content":"Updated content for security prompt."}]}'
Request example
{
"create": [
{
"name": "New Security Prompt",
"content": "Please verify the security settings.",
"promptType": "system"
}
],
"delete": {
"ids": [
"prompt1",
"prompt2"
]
},
"update": [
{
"id": "prompt123",
"content": "Updated content for security prompt."
}
]
}
Response examples (200)
{
"message": "Bulk action completed successfully.",
"success": true,
"attributes": {
"errors": [],
"results": {
"created": [
{
"id": "prompt6",
"name": "New Security Prompt",
"content": "Please verify the security settings.",
"promptType": "system"
}
],
"deleted": [
"prompt2",
"prompt3"
],
"skipped": [
{
"id": "prompt4",
"name": "Security Prompt",
"skip_reason": "PROMPT_FIELD_NOT_MODIFIED"
}
],
"updated": [
{
"id": "prompt1",
"name": "Security Prompt",
"content": "Updated security settings prompt",
"promptType": "system"
}
]
},
"summary": {
"total": 5,
"failed": 0,
"skipped": 1,
"succeeded": 4
}
},
"status_code": 200,
"prompts_count": 5
}
Body
Required
Value list's properties
-
description
string(nonempty) Required Describes the value list.
Minimum length is
1. -
deserializer
string Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
{{{value}}}- Single value item types, such asip,long,date,keyword, andtext.{{{gte}}}-{{{lte}}}- Range value item types, such asip_range,double_range,float_range,integer_range, andlong_range.{{{gte}}},{{{lte}}}- Date range values.
-
id
string(nonempty) Value list's identifier.
Minimum length is
1. -
meta
object Placeholder for metadata about the value list.
Additional properties are allowed.
-
name
string(nonempty) Required Value list's name.
Minimum length is
1. -
serializer
string Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
(?<value>.+)- Single value item types, such as ip, long, date, keyword, and text.(?<gte>.+)-(?<lte>.+)|(?<value>.+)- Range value item types, such asdate_range,ip_range,double_range,float_range,integer_range, andlong_range.
-
type
string Required Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
keyword: Many ECS fields are Elasticsearch keywordsip: IP addressesip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
Values are
binary,boolean,byte,date,date_nanos,date_range,double,double_range,float,float_range,geo_point,geo_shape,half_float,integer,integer_range,ip,ip_range,keyword,long,long_range,shape,short, ortext. -
version
integer Minimum value is
1. Default value is1.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
409 application/json
List already exists response
-
500 application/json
Internal server error response
POST
/api/lists
curl \
--request POST 'https://localhost:5601/api/lists' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"id":"ip_list","name":"Simple list with ips","type":"ip","description":"This list describes bad internet ips"}'
Request examples
Ip
{
"id": "ip_list",
"name": "Simple list with ips",
"type": "ip",
"description": "This list describes bad internet ips"
}{
"id": "ip_range_list",
"name": "Simple list with ip ranges",
"type": "ip_range",
"description": "This list has ip ranges"
}{
"id": "keyword_list",
"name": "Simple list with a keyword",
"type": "keyword",
"description": "This list describes bad host names"
}{
"id": "keyword_custom_format_list",
"name": "Simple list with a keyword using a custom format",
"type": "keyword",
"serializer": "(?<value>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))",
"description": "This parses the first found ipv4 only",
"deserializer": "{{value}}"
}
Response examples (200)
Ip
{
"id": "ip_list",
"name": "Simple list with ips",
"type": "ip",
"version": 1,
"_version": "WzAsMV0=",
"immutable": false,
"@timestamp": "2025-01-08T04:47:34.273Z",
"created_at": "2025-01-08T04:47:34.273Z",
"created_by": "elastic",
"updated_at": "2025-01-08T04:47:34.273Z",
"updated_by": "elastic",
"description": "This list describes bad internet ips",
"tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}{
"id": "ip_range_list",
"name": "Simple list with ip ranges",
"type": "ip_range",
"version": 1,
"_version": "WzAsMV0=",
"immutable": false,
"@timestamp": "2025-01-09T18:23:52.241Z",
"created_at": "2025-01-09T18:23:52.241Z",
"created_by": "elastic",
"updated_at": "2025-01-09T18:23:52.241Z",
"updated_by": "elastic",
"description": "This list has ip ranges",
"tie_breaker_id": "74aebdaf-601f-4940-b351-155728ff7003"
}{
"id": "keyword_list",
"name": "Simple list with a keyword",
"type": "keyword",
"version": 1,
"_version": "WzEsMV0=",
"immutable": false,
"@timestamp": "2025-01-09T18:24:55.786Z",
"created_at": "2025-01-09T18:24:55.786Z",
"created_by": "elastic",
"updated_at": "2025-01-09T18:24:55.786Z",
"updated_by": "elastic",
"description": "This list describes bad host names",
"tie_breaker_id": "f7e7dbaa-daf7-4c9a-a3dc-56643923ef68"
}{
"id": "keyword_custom_format_list",
"name": "Simple list with a keyword using a custom format",
"type": "keyword",
"version": 1,
"_version": "WzIsMV0=",
"immutable": false,
"@timestamp": "2025-01-09T18:25:39.604Z",
"created_at": "2025-01-09T18:25:39.604Z",
"created_by": "elastic",
"serializer": "(?<value>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))",
"updated_at": "2025-01-09T18:25:39.604Z",
"updated_by": "elastic",
"description": "This parses the first found ipv4 only",
"deserializer": "{{value}}",
"tie_breaker_id": "8247ae63-b780-47b8-9a89-948b643e9ec2"
}
Response examples (400)
{
"message": "To create a list, the data stream must exist first. Data stream \\\".lists-default\\\" does not exist",
"status_code": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
Response examples (409)
{
"message": "list id: \"keyword_custom_format_list\" already exists",
"status_code": 409
}
Response examples (500)
{
"message": "Internal Server Error",
"status_code": 500
}