Get the alerting framework health

GET /api/alerting/_health

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- alerting_framework_health object
  
  Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.
  
  Hide alerting_framework_health attributes Show alerting_framework_health attributes object
  
  decryption_health object
  
  The timestamp and status of the rule decryption.
  
  Hide decryption_health attributes Show decryption_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
  
  execution_health object
  
  The timestamp and status of the rule run.
  
  Hide execution_health attributes Show execution_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
  
  read_health object
  
  The timestamp and status of the rule reading events.
  
  Hide read_health attributes Show read_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
- has_permanent_encryption_key boolean
  
  If false, the encrypted saved object plugin does not have a permanent encryption key.
- is_sufficiently_secure boolean
  
  If false, security is enabled but TLS is not.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerting/_health

curl \
 --request GET 'https://localhost:5601/api/alerting/_health' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}

Get rule details

GET /api/alerting/rule/{id}

Api key auth Basic auth

Path parameters

id string Required

The identifier for the rule.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- artifacts object
  
  Additional properties are NOT allowed.
  
  Hide artifacts attributes Show artifacts attributes object
  
  dashboards array[object]
  
  Hide dashboards attribute Show dashboards attribute object
  
  id string Required
  
  investigation_guide object
  
  Additional properties are NOT allowed.
  
  Hide investigation_guide attribute Show investigation_guide attribute object
  
  blob string Required
  
  User-created content that describes alert causes and remdiation.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id}

curl \
 --request GET 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY"

Add a case comment or alert

POST /api/cases/{caseId}/comments

Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json

Body object Required

The add comment to case API request body varies depending on whether you are adding an alert or a comment.

Defines properties for case comment requests when type is alert.

alertId string | array[string] Required

The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
index string | array[string] Required

The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
rule object Required Technical preview

The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Hide rule attributes Show rule attributes object
- id string
  
  The rule identifier.
- name string
  
  The rule name.
type string Required Discriminator

The type of comment.

Value is alert.

Defines properties for case comment requests when type is user.

comment string Required

The new comment. It is required only when type is user.

Maximum length is 30000.
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
type string Required Discriminator

The type of comment.

Value is user.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases/{caseId}/comments

curl \
 --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"type":"user","owner":"cases","comment":"A new comment."}'

Request example

{
  "type": "user",
  "owner": "cases",
  "comment": "A new comment."
}

Response examples (200)

{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}

Get a case comment or alert

GET /api/cases/{caseId}/comments/{commentId}

Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
commentId string Required

The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

200 application/json

Indicates a successful call.
One of:
Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
Hide attributes Show attributes

alertId array[string]

created_at string(date-time)

created_by object

Hide created_by attributes Show created_by attributes object

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

id string

index array[string]

owner string

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.

pushed_at string(date-time) | null

pushed_by object | null

Hide pushed_by attributes Show pushed_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

rule object

Hide rule attributes Show rule attributes object

id string

The rule identifier.

name string

The rule name.

type string Required

Value is alert.

updated_at string(date-time) | null

updated_by object | null

Hide updated_by attributes Show updated_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

version string
Hide attributes Show attributes

comment string

created_at string(date-time)

created_by object

Hide created_by attributes Show created_by attributes object

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

id string

owner string

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.

pushed_at string(date-time) | null

pushed_by object | null

Hide pushed_by attributes Show pushed_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

type string Required

Value is user.

updated_at string(date-time) | null

updated_by object | null

Hide updated_by attributes Show updated_by attributes object | null

email string | null Required

full_name string | null Required

profile_uid string

username string | null Required

version string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/comments/{commentId}

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
  "type": "user",
  "owner": "cases",
  "comment": "A new comment",
  "version": "WzIzLDFd",
  "pushed_at": null,
  "pushed_by": null,
  "created_at": "2023-10-07T19:32:13.104Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null
}

Get cases for an alert Technical preview

GET /api/cases/alerts/{alertId}

Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

alertId string Required

An identifier for the alert.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- id string
  
  The case identifier.
- title string
  
  The case title.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/alerts/{alertId}

curl \
 --request GET 'https://localhost:5601/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
    "title": "security_case"
  }
]

Get connector information

GET /api/actions/connector/{id}

Api key auth Basic auth

Path parameters

id string Required

An identifier for the connector.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

GET /api/actions/connector/{id}

curl \
 --request GET 'https://localhost:5601/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Get all connectors

GET /api/actions/connectors

Api key auth Basic auth

Responses

200 application/json

Indicates a successful call.

GET /api/actions/connectors

curl \
 --request GET 'https://localhost:5601/api/actions/connectors' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "preconfigured-email-connector",
    "name": "my-preconfigured-email-notification",
    "is_deprecated": false,
    "is_preconfigured": true,
    "is_system_action": false,
    "connector_type_id": ".email",
    "referenced_by_count": 0
  },
  {
    "id": "e07d0c80-8b8b-11ed-a780-3b746c987a81",
    "name": "my-index-connector",
    "config": {
      "index": "test-index",
      "refresh": false,
      "executionTimeField": null
    },
    "is_deprecated": false,
    "is_preconfigured": false,
    "is_system_action": false,
    "connector_type_id": ".index",
    "is_missing_secrets": false,
    "referenced_by_count": 2
  }
]

Update an existing dashboard Technical Preview

PUT /api/dashboards/dashboard/{id}

Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

A unique identifier for the dashboard.

application/json

Body

attributes object Required

Additional properties are NOT allowed.
Hide attributes attributes Show attributes attributes object
- controlGroupInput object
  
  Additional properties are NOT allowed.
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
- description string
  
  A short description.
  
  Default value is empty.
- kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  A filter for the search source.
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
- options object Required
  
  Additional properties are NOT allowed.
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
- panels array[object]
  
  Default value is [] (empty).
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string
  
  The unique identifier of the panel
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string
  
  The unique ID of the panel.
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
- refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
- tags array[string]
  
  An array of tags applied to this dashboard
- timeFrom string
  
  An ISO string indicating when to restore time from
- timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
- timeTo string
  
  An ISO string indicating when to restore time from
- title string Required
  
  A human-readable title for the dashboard
- version number Deprecated
references array[object]
Hide references attributes Show references attributes object
- id string Required
- name string Required
- type string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  controlGroupInput object
  
  Additional properties are NOT allowed.
  
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
  
  description string
  
  A short description.
  
  Default value is empty.
  
  kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  A filter for the search source.
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
  
  options object Required
  
  Additional properties are NOT allowed.
  
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
  
  panels array[object]
  
  Default value is [] (empty).
  
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string Required
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string Required
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
  
  refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
  
  tags array[string]
  
  An array of tags applied to this dashboard
  
  timeFrom string
  
  An ISO string indicating when to restore time from
  
  timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
  
  timeTo string
  
  An ISO string indicating when to restore time from
  
  title string Required
  
  A human-readable title for the dashboard
  
  version number Deprecated
  
  createdAt string
  
  createdBy string
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  error string Required
  
  message string Required
  
  metadata object
  
  Additional properties are allowed.
  
  statusCode number Required
  
  id string Required
  
  managed boolean
  
  namespaces array[string]
  
  originId string
  
  references array[object] Required
  
  Hide references attributes Show references attributes object
  
  id string Required
  
  name string Required
  
  type string Required
  
  type string Required
  
  updatedAt string
  
  updatedBy string
  
  version string

PUT /api/dashboards/dashboard/{id}

curl \
 --request PUT 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"tags":["string"],"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}]}'

Get data streams

GET /api/fleet/data_streams

Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.

Responses

200 application/json
Hide response attribute Show response attribute object
- data_streams array[object] Required
  
  Hide data_streams attributes Show data_streams attributes object
  
  dashboards array[object] Required
  
  Hide dashboards attributes Show dashboards attributes object
  
  id string Required
  
  title string Required
  
  dataset string Required
  
  index string Required
  
  last_activity_ms number Required
  
  namespace string Required
  
  package string Required
  
  package_version string Required
  
  serviceDetails object | null Required
  
  Additional properties are NOT allowed.
  
  Hide serviceDetails attributes Show serviceDetails attributes object | null
  
  environment string Required
  
  serviceName string Required
  
  size_in_bytes number Required
  
  size_in_bytes_formatted number | string Required
  
  Any of:
  number-1 number string-2 string
  
  type string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/data_streams

curl \
 --request GET 'https://localhost:5601/api/fleet/data_streams' \
 --header "Authorization: $API_KEY"

Get a data view

GET /api/data_views/data_view/{viewId}

Api key auth Basic auth

Path parameters

viewId string Required

An identifier for the data view.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view object
  
  Hide data_view attributes Show data_view attributes object
  
  allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
  
  fieldAttrs object
  
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
  
  fieldFormats object
  
  A map of field formats by field name.
  
  fields object
  
  id string
  
  name string
  
  The data view name.
  
  namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
  
  runtimeFieldMap object
  
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
  
  sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
  
  timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
  
  title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
  
  typeMeta object | null
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  
  Hide typeMeta attributes Show typeMeta attributes object | null
  
  aggs object
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object
  
  Properties for retrieving rollup fields.
  
  version string
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

GET /api/data_views/data_view/{viewId}

curl \
 --request GET 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data_view": {
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "sku": {
        "name": "sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "type": {
        "name": "type",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "user": {
        "name": "user",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "email": {
        "name": "email",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "category": {
        "name": "category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "currency": {
        "name": "currency",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_id": {
        "name": "order_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_date": {
        "name": "order_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_id": {
        "name": "customer_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week": {
        "name": "day_of_week",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer": {
        "name": "manufacturer",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products._id": {
        "name": "products._id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.sku": {
        "name": "products.sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week_i": {
        "name": "day_of_week_i",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "event.dataset": {
        "name": "event.dataset",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_phone": {
        "name": "customer_phone",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.location": {
        "name": "geoip.location",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.price": {
        "name": "products.price",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_quantity": {
        "name": "total_quantity",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_gender": {
        "name": "customer_gender",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.city_name": {
        "name": "geoip.city_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "category.keyword": {
        "name": "category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.region_name": {
        "name": "geoip.region_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category": {
        "name": "products.category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.quantity": {
        "name": "products.quantity",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name": {
        "name": "customer_full_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "customer_last_name": {
        "name": "customer_last_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.min_price": {
        "name": "products.min_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxful_total_price": {
        "name": "taxful_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_birth_date": {
        "name": "customer_birth_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name": {
        "name": "customer_first_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.base_price": {
        "name": "products.base_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.created_on": {
        "name": "products.created_on",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_id": {
        "name": "products.product_id",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "long"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.tax_amount": {
        "name": "products.tax_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxless_total_price": {
        "name": "taxless_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.continent_name": {
        "name": "geoip.continent_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer.keyword": {
        "name": "manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products._id.keyword": {
        "name": "products._id.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products._id"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer": {
        "name": "products.manufacturer",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.product_name": {
        "name": "products.product_name",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.taxful_price": {
        "name": "products.taxful_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_unique_products": {
        "name": "total_unique_products",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.country_iso_code": {
        "name": "geoip.country_iso_code",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.taxless_price": {
        "name": "products.taxless_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.base_unit_price": {
        "name": "products.base_unit_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_amount": {
        "name": "products.discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category.keyword": {
        "name": "products.category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name.keyword": {
        "name": "customer_full_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_full_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_last_name.keyword": {
        "name": "customer_last_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_last_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name.keyword": {
        "name": "customer_first_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_first_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_percentage": {
        "name": "products.discount_percentage",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer.keyword": {
        "name": "products.manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_name.keyword": {
        "name": "products.product_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.product_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.unit_discount_amount": {
        "name": "products.unit_discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzUsMV0=",
    "typeMeta": {},
    "fieldAttrs": {
      "products.price": {
        "count": 1
      },
      "total_quantity": {
        "count": 1
      },
      "products.manufacturer": {
        "count": 1
      },
      "products.product_name": {
        "count": 1
      }
    },
    "namespaces": [
      "default"
    ],
    "allowNoIndex": false,
    "fieldFormats": {
      "products.price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.min_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxful_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      },
      "products.base_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxless_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxful_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxless_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.base_unit_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "order_date",
    "runtimeFieldMap": {}
  }
}

Delete a data view

DELETE /api/data_views/data_view/{viewId}

Api key auth Basic auth

WARNING: When you delete a data view, it cannot be recovered.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

viewId string Required

An identifier for the data view.

Responses

204

Indicates a successful call.
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

DELETE /api/data_views/data_view/{viewId}

curl \
 --request DELETE 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Delete a runtime field from a data view

DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Api key auth Basic auth

Path parameters

fieldName string Required

The name of the runtime field.
viewId string Required

An identifier for the data view.

Responses

200

Indicates a successful call.
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

curl \
 --request DELETE 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
 --header "Authorization: $API_KEY"

Get an agent action status

GET /api/fleet/agents/action_status

Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

page number

Default value is 0.
perPage number

Default value is 20.
date string
latest number
errorSize number

Default value is 5.

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  actionId string Required
  
  cancellationTime string
  
  completionTime string
  
  creationTime string Required
  
  creation time of action
  
  expiration string
  
  hasRolloutPeriod boolean
  
  is_automatic boolean
  
  latestErrors array[object]
  
  latest errors that happened when the agents executed the action
  
  Hide latestErrors attributes Show latestErrors attributes object
  
  agentId string Required
  
  error string Required
  
  hostname string
  
  timestamp string Required
  
  nbAgentsAck number Required
  
  number of agents that acknowledged the action
  
  nbAgentsActionCreated number Required
  
  number of agents included in action from kibana
  
  nbAgentsActioned number Required
  
  number of agents actioned
  
  nbAgentsFailed number Required
  
  number of agents that failed to execute the action
  
  newPolicyId string
  
  new policy id (POLICY_REASSIGN action)
  
  policyId string
  
  policy id (POLICY_CHANGE action)
  
  revision number
  
  new policy revision (POLICY_CHANGE action)
  
  startTime string
  
  start time of action (scheduled actions)
  
  status string Required
  
  Values are COMPLETE, EXPIRED, CANCELLED, FAILED, IN_PROGRESS, or ROLLOUT_PASSED.
  
  type string Required
  
  Values are UPGRADE, UNENROLL, SETTINGS, POLICY_REASSIGN, CANCEL, FORCE_UNENROLL, REQUEST_DIAGNOSTICS, UPDATE_TAGS, POLICY_CHANGE, or INPUT_ACTION.
  
  version string
  
  agent version number (UPGRADE action)
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agents/action_status

curl \
 --request GET 'https://localhost:5601/api/fleet/agents/action_status' \
 --header "Authorization: $API_KEY"

Bulk get agent policies

POST /api/fleet/agent_policies/_bulk_get

Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

format string

Values are simplified or legacy.

application/json

Body

full boolean

get full policies with package policies populated
ids array[string] Required

list of package policy ids
ignoreMissing boolean

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attributes Show agentless attributes object
  
  cloud_connectors object
  
  Additional properties are NOT allowed.
  
  Hide cloud_connectors attributes Show cloud_connectors attributes object
  
  enabled boolean Required
  
  target_csp string
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agent_policies/_bulk_get

curl \
 --request POST 'https://localhost:5601/api/fleet/agent_policies/_bulk_get' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"full":true,"ids":["string"],"ignoreMissing":true}'

Download an agent manifest

GET /api/fleet/kubernetes/download

Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.

Query parameters

download boolean
fleetServer string
enrolToken string

Responses

200 application/json
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
404 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/kubernetes/download

curl \
 --request GET 'https://localhost:5601/api/fleet/kubernetes/download' \
 --header "Authorization: $API_KEY"

Get agents

GET /api/fleet/agents

Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

page number
perPage number

Default value is 20.
kuery string
showInactive boolean

Default value is false.
withMetrics boolean

Default value is false.
showUpgradeable boolean

Default value is false.
getStatusSummary boolean

Default value is false.
sortField string
sortOrder string

Values are asc or desc.
searchAfter string
openPit boolean
pitId string
pitKeepAlive string

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  access_api_key string
  
  access_api_key_id string
  
  active boolean Required
  
  agent object
  
  Additional properties are allowed.
  
  Hide agent attributes Show agent attributes object
  
  id string Required
  
  version string Required
  
  audit_unenrolled_reason string
  
  components array[object]
  
  Hide components attributes Show components attributes object
  
  id string Required
  
  message string Required
  
  status string Required
  
  Values are STARTING, CONFIGURING, HEALTHY, DEGRADED, FAILED, STOPPING, or STOPPED.
  
  type string Required
  
  units array[object]
  
  Hide units attributes Show units attributes object
  
  id string Required
  
  message string Required
  
  payload object
  
  Additional properties are allowed.
  
  status string Required
  
  Values are STARTING, CONFIGURING, HEALTHY, DEGRADED, FAILED, STOPPING, or STOPPED.
  
  type string Required
  
  Values are input or output.
  
  default_api_key string
  
  default_api_key_history array[object]
  
  Hide default_api_key_history attributes Show default_api_key_history attributes object Deprecated
  
  id string Required
  
  retired_at string Required
  
  default_api_key_id string
  
  enrolled_at string Required
  
  id string Required
  
  last_checkin string
  
  last_checkin_message string
  
  last_checkin_status string
  
  Values are error, online, degraded, updating, or starting.
  
  local_metadata object Required
  
  Additional properties are allowed.
  
  metrics object
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  cpu_avg number
  
  memory_size_byte_avg number
  
  namespaces array[string]
  
  outputs object
  
  Hide outputs attribute Show outputs attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  api_key_id string
  
  to_retire_api_key_ids array[object]
  
  Hide to_retire_api_key_ids attributes Show to_retire_api_key_ids attributes object
  
  id string Required
  
  retired_at string Required
  
  type string
  
  packages array[string] Required
  
  policy_id string
  
  policy_revision number | null
  
  sort array
  
  status string
  
  Values are offline, error, online, inactive, enrolling, unenrolling, unenrolled, updating, degraded, uninstalled, or orphaned.
  
  tags array[string]
  
  type string Required
  
  Values are PERMANENT, EPHEMERAL, or TEMPORARY.
  
  unenrolled_at string
  
  unenrollment_started_at string
  
  unhealthy_reason array[string] | null
  
  Values are input, output, or other.
  
  upgrade_attempts array[string] | null
  
  upgrade_details object | null
  
  Additional properties are NOT allowed.
  
  Hide upgrade_details attributes Show upgrade_details attributes object | null
  
  action_id string Required
  
  metadata object
  
  Additional properties are NOT allowed.
  
  Hide metadata attributes Show metadata attributes object
  
  download_percent number
  
  download_rate number
  
  error_msg string
  
  failed_state string
  
  Values are UPG_REQUESTED, UPG_SCHEDULED, UPG_DOWNLOADING, UPG_EXTRACTING, UPG_REPLACING, UPG_RESTARTING, UPG_FAILED, UPG_WATCHING, or UPG_ROLLBACK.
  
  retry_error_msg string
  
  retry_until string
  
  scheduled_at string
  
  state string Required
  
  Values are UPG_REQUESTED, UPG_SCHEDULED, UPG_DOWNLOADING, UPG_EXTRACTING, UPG_REPLACING, UPG_RESTARTING, UPG_FAILED, UPG_WATCHING, or UPG_ROLLBACK.
  
  target_version string Required
  
  upgrade_started_at string | null
  
  upgraded_at string | null
  
  user_provided_metadata object
  
  Additional properties are allowed.
- nextSearchAfter string
- page number Required
- perPage number Required
- pit string
- statusSummary object
  
  Hide statusSummary attribute Show statusSummary attribute object
  
  * number Additional properties
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agents

curl \
 --request GET 'https://localhost:5601/api/fleet/agents' \
 --header "Authorization: $API_KEY"

Get a package file

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}

Api key auth Basic auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Path parameters

pkgName string Required
pkgVersion string Required
filePath string Required

Responses

200 application/json
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}

curl \
 --request GET 'https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}' \
 --header "Authorization: $API_KEY"

Install Kibana assets for a package

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

Api key auth Basic auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string Required

application/json

Body

force boolean
space_ids array[string]

When provided install assets in the specified spaces instead of the current space.

At least 1 element.

Responses

200 application/json
Hide response attribute Show response attribute object
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

curl \
 --request POST 'https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"space_ids":["string"]}'

Delete Kibana assets for a package

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

Api key auth Basic auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

curl \
 --request DELETE 'https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get an inputs template

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs

Api key auth Basic auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Path parameters

pkgName string Required
pkgVersion string Required

Query parameters

format string

Values are json, yml, or yaml. Default value is json.
prerelease boolean
ignoreUnverified boolean

Responses

200 application/json
Any of:
string-1 string object-2 object
Hide attribute Show attribute

inputs array[object] Required

Hide inputs attributes Show inputs attributes object

id string Required

streams array[object]

Hide streams attributes Show streams attributes object

data_stream object Required

Additional properties are allowed.

Hide data_stream attributes Show data_stream attributes object

dataset string Required

type string

id string Required

type string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs

curl \
 --request GET 'https://localhost:5601/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs' \
 --header "Authorization: $API_KEY"

Create an enrollment API key

POST /api/fleet/enrollment_api_keys

Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

expiration string
name string
policy_id string Required

Responses

200 application/json
Hide response attributes Show response attributes object
- action string Required
  
  Value is created.
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  active boolean Required
  
  When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
  
  api_key string Required
  
  The enrollment API key (token) used for enrolling Elastic Agents.
  
  api_key_id string Required
  
  The ID of the API key in the Security API.
  
  created_at string Required
  
  hidden boolean
  
  id string Required
  
  name string
  
  The name of the enrollment API key.
  
  policy_id string
  
  The ID of the agent policy the Elastic Agent will be enrolled in.
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/enrollment_api_keys

curl \
 --request POST 'https://localhost:5601/api/fleet/enrollment_api_keys' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"expiration":"string","name":"string","policy_id":"string"}'

Revoke an enrollment API key

DELETE /api/fleet/enrollment_api_keys/{keyId}

Api key auth Basic auth

Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

keyId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- action string Required
  
  Value is deleted.
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/enrollment_api_keys/{keyId}

curl \
 --request DELETE 'https://localhost:5601/api/fleet/enrollment_api_keys/{keyId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get output

GET /api/fleet/outputs/{outputId}

Api key auth Basic auth

Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.

Path parameters

outputId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  kibana_api_key string | null
  
  kibana_url string | null
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  service_token object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  service_token string | null
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  sync_integrations boolean
  
  sync_uninstalled_integrations boolean
  
  type string Required
  
  Value is remote_elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is logstash.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  auth_type string Required
  
  Values are none, user_pass, ssl, or kerberos.
  
  broker_timeout number
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  client_id string
  
  compression string
  
  Values are gzip, snappy, lz4, or none.
  
  compression_level array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  config_yaml string | null
  
  connection_type array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  hash object
  
  Additional properties are allowed.
  
  Hide hash attributes Show hash attributes object
  
  hash string
  
  random boolean
  
  headers array[object]
  
  Hide headers attributes Show headers attributes object
  
  key string Required
  
  value string Required
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  key string
  
  name string Required
  
  partition string
  
  Values are random, round_robin, or hash.
  
  password array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  proxy_id string | null
  
  random object
  
  Additional properties are allowed.
  
  Hide random attribute Show random attribute object
  
  group_events number
  
  required_acks integer
  
  Values are 1, 0, or -1.
  
  round_robin object
  
  Additional properties are allowed.
  
  Hide round_robin attribute Show round_robin attribute object
  
  group_events number
  
  sasl object | null
  
  Additional properties are allowed.
  
  Hide sasl attribute Show sasl attribute object | null
  
  mechanism string
  
  Values are PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  password object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string Required
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  timeout number
  
  topic string
  
  type string Required
  
  Value is kafka.
  
  username array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/outputs/{outputId}

curl \
 --request GET 'https://localhost:5601/api/fleet/outputs/{outputId}' \
 --header "Authorization: $API_KEY"

Update a package policy

PUT /api/fleet/package_policies/{packagePolicyId}

Api key auth Basic auth

Update a package policy by ID.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

packagePolicyId string Required

Query parameters

format string

Values are simplified or legacy.

application/json

Body object

additional_datastreams_permissions array[string] | null

Additional datastream permissions, that will be added to the agent policy.
description string

Package policy description
enabled boolean
force boolean
inputs array[object]
Hide inputs attributes Show inputs attributes object
- config object
  
  Package variable (see integration documentation for more information)
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
- enabled boolean Required
- id string
- keep_enabled boolean
- policy_template string
- streams array[object]
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
- type string Required
- vars object
  
  Package variable (see integration documentation for more information)
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
is_managed boolean
name string
namespace string

The package policy namespace. Leave blank to inherit the agent policy's namespace.
output_id string | null
overrides object | null

Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

Additional properties are NOT allowed.
Hide overrides attribute Show overrides attribute object | null
- inputs object
  
  Additional properties are allowed.
package object

Additional properties are NOT allowed.
Hide package attributes Show package attributes object
- experimental_data_stream_features array[object]
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
- name string Required
  
  Package name
- requires_root boolean
- title string
- version string Required
  
  Package version
policy_id string | null Deprecated

Agent policy ID where that package policy will be added
policy_ids array[string]

Agent policy IDs where that package policy will be added
spaceIds array[string]
supports_agentless boolean | null

Indicates whether the package policy belongs to an agentless agent policy.

Default value is false.
vars object

Package variable (see integration documentation for more information)
Hide vars attribute Show vars attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
version string

additional_datastreams_permissions array[string] | null

Additional datastream permissions, that will be added to the agent policy.
description string
force boolean
id string
inputs object

Package policy inputs (see integration documentation to know what inputs are available)
Hide inputs attribute Show inputs attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
name string Required
namespace string
output_id string | null
package object Required

Additional properties are NOT allowed.
Hide package attributes Show package attributes object
- experimental_data_stream_features array[object]
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
- name string Required
  
  Package name
- requires_root boolean
- title string
- version string Required
  
  Package version
policy_id string | null
policy_ids array[string]
supports_agentless boolean | null

Indicates whether the package policy belongs to an agentless agent policy.

Default value is false.
vars object

Input/stream level variable (see integration documentation for more information)

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
403 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/package_policies/{packagePolicyId}

curl \
 --request PUT 'https://localhost:5601/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"additional_datastreams_permissions":["string"],"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"spaceIds":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'

Upgrade a package policy

POST /api/fleet/package_policies/upgrade

Api key auth Basic auth

Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

packagePolicyIds array[string] Required

Responses

200 application/json
Hide response attributes Show response attributes object
- body object
  
  Additional properties are NOT allowed.
  
  Hide body attribute Show body attribute object
  
  message string Required
- id string Required
- name string
- statusCode number
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/package_policies/upgrade

curl \
 --request POST 'https://localhost:5601/api/fleet/package_policies/upgrade' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"packagePolicyIds":["string"]}'

Get a decrypted uninstall token

GET /api/fleet/uninstall_tokens/{uninstallTokenId}

Api key auth Basic auth

Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.

Path parameters

uninstallTokenId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  created_at string Required
  
  id string Required
  
  namespaces array[string]
  
  policy_id string Required
  
  policy_name string | null
  
  token string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/uninstall_tokens/{uninstallTokenId}

curl \
 --request GET 'https://localhost:5601/api/fleet/uninstall_tokens/{uninstallTokenId}' \
 --header "Authorization: $API_KEY"

Saved objects

Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.

To manage a specific type of saved object, use the corresponding APIs. For example, use:

Warning: Do not write documents directly to the .kibana index. When you write directly to the .kibana index, the data becomes corrupted and permanently breaks future Kibana versions

Export saved objects

POST /api/saved_objects/_export

Api key auth Basic auth

Retrieve sets of saved objects that you want to import into Kibana. You must include type or objects in the request body.

Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.

NOTE: The savedObjects.maxImportExportSize configuration setting limits the number of saved objects which may be exported.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

excludeExportDetails boolean

Do not add export details entry at the end of the stream.

Default value is false.
hasReference object | array[object]
Any of:
object-1 object array-2 array[object]
Hide attributes Show attributes

id string Required

type string Required
Hide attributes Show attributes object

id string Required

type string Required
includeReferencesDeep boolean

Includes all of the referenced objects in the exported objects.

Default value is false.
objects array[object]

A list of objects to export. NOTE: this optiona cannot be combined with types option

Not more than 10000 elements.
Hide objects attributes Show objects attributes object
- id string Required
- type string Required
search string

Search for documents to export using the Elasticsearch Simple Query String syntax.
type string | array[string]

The saved object types to include in the export. Use * to export all the types.

Any of:
string-1 string array-2 array[string]

Responses

200 application/x-ndjson

Indicates a successfull call.
400 application/json

Bad request.
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
  
  Value is 400.

POST /api/saved_objects/_export

curl \
 --request POST 'https://localhost:5601/api/saved_objects/_export' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"objects":[{"id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","type":"map"}],"excludeExportDetails":true,"includeReferencesDeep":false}'

Request example

{
  "objects": [
    {
      "id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
      "type": "map"
    }
  ],
  "excludeExportDetails": true,
  "includeReferencesDeep": false
}

Response examples (200)

{
  "id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
  "type": "map",
  "managed": false,
  "version": "WzEzLDFd",
  "attributes": {
    "title": "[Logs] Total Requests and Bytes",
    "description": "",
    "uiStateJSON": "{\"isDarkMode\":false}",
    "mapStateJSON": "{\"zoom\":3.64,\"center\":{\"lon\":-88.92107,\"lat\":42.16337},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"settings\":{\"autoFitToDataBounds\":false}}",
    "layerListJSON": "[{\"id\":\"0hmz5\",\"alpha\":1,\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"visible\":true,\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"minZoom\":0,\"maxZoom\":24},{\"id\":\"edh66\",\"label\":\"Total Requests by Destination\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.5,\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\",\"iso2\"]},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e\",\"origin\":\"join\"},\"color\":\"Greys\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":10}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\",\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"673ff994-fc75-4c67-909b-69fcb0e1060e\",\"indexPatternTitle\":\"kibana_sample_data_logs\",\"term\":\"geo.dest\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"}],\"applyGlobalQuery\":true}}]},{\"id\":\"gaxya\",\"label\":\"Actual Requests\",\"minZoom\":9,\"maxZoom\":24,\"alpha\":1,\"sourceDescriptor\":{\"id\":\"b7486535-171b-4d3b-bb2e-33c1a0a2854c\",\"type\":\"ES_SEARCH\",\"geoField\":\"geo.coordinates\",\"limit\":2048,\"filterByMapBounds\":true,\"tooltipProperties\":[\"clientip\",\"timestamp\",\"host\",\"request\",\"response\",\"machine.os\",\"agent\",\"bytes\"],\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#2200ff\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"bytes\",\"origin\":\"source\"},\"minSize\":1,\"maxSize\":23,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"},{\"id\":\"tfi3f\",\"label\":\"Total Requests and Bytes\",\"minZoom\":0,\"maxZoom\":9,\"alpha\":1,\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"resolution\":\"COARSE\",\"id\":\"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b\",\"geoField\":\"geo.coordinates\",\"requestType\":\"point\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"},{\"type\":\"sum\",\"field\":\"bytes\"}],\"indexPatternRefName\":\"layer_3_source_index_pattern\",\"applyGlobalQuery\":true},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#cccccc\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"sum_of_bytes\",\"origin\":\"source\"},\"minSize\":7,\"maxSize\":25,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":12,\"maxSize\":24,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"}]"
  },
  "created_at": "2023-08-23T20:03:32.204Z",
  "references": [
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_1_join_0_index_pattern",
      "type": "index-pattern"
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_2_source_index_pattern",
      "type": "index-pattern"
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_3_source_index_pattern",
      "type": "index-pattern"
    }
  ],
  "updated_at": "2023-08-23T20:03:32.204Z",
  "coreMigrationVersion": "8.8.0",
  "typeMigrationVersion": "8.4.0"
}

Update a saved object Deprecated

PUT /api/saved_objects/{type}/{id}

Api key auth Basic auth

Update the attributes for Kibana saved objects.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

id string Required

An identifier for the saved object.
type string Required

Valid options include visualization, dashboard, search, index-pattern, config.

application/json

Body Required

object

Responses

200 application/json

Indicates a successful call.
404 application/json

Indicates the object was not found.
409 application/json

Indicates a conflict error.

PUT /api/saved_objects/{type}/{id}

curl \
 --request PUT 'https://localhost:5601/api/saved_objects/{type}/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string"

Apply a bulk action to anonymization fields

POST /api/security_ai_assistant/anonymization_fields/_bulk_action

Api key auth Basic auth

Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.

application/json

Body

create array[object]
Hide create attributes Show create attributes object
- allowed boolean
- anonymized boolean
- field string Required
delete object
Hide delete attributes Show delete attributes object
- ids array[string]
  
  Array of anonymization fields IDs
  
  At least 1 element.
- query string
  
  Query to filter anonymization fields
update array[object]
Hide update attributes Show update attributes object
- allowed boolean
- anonymized boolean
- id string Required

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- anonymization_fields_count integer
- attributes object Required
  
  Hide attributes attributes Show attributes attributes object
  
  errors array[object]
  
  Hide errors attributes Show errors attributes object
  
  anonymization_fields array[object] Required
  
  Hide anonymization_fields attributes Show anonymization_fields attributes object
  
  id string Required
  
  name string
  
  err_code string
  
  message string Required
  
  status_code integer Required
  
  results object Required
  
  Hide results attributes Show results attributes object
  
  created array[object] Required
  
  Hide created attributes Show created attributes object
  
  allowed boolean
  
  anonymized boolean
  
  createdAt string
  
  createdBy string
  
  field string Required
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace string
  
  Kibana space
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
  
  deleted array[string] Required
  
  skipped array[object] Required
  
  Hide skipped attributes Show skipped attributes object
  
  id string Required
  
  name string
  
  skip_reason string Required
  
  Value is ANONYMIZATION_FIELD_NOT_MODIFIED.
  
  updated array[object] Required
  
  Hide updated attributes Show updated attributes object
  
  allowed boolean
  
  anonymized boolean
  
  createdAt string
  
  createdBy string
  
  field string Required
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace string
  
  Kibana space
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
  
  summary object Required
  
  Hide summary attributes Show summary attributes object
  
  failed integer Required
  
  skipped integer Required
  
  succeeded integer Required
  
  total integer Required
- message string
- status_code integer
- success boolean
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/security_ai_assistant/anonymization_fields/_bulk_action

curl \
 --request POST 'https://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"create":[{"allowed":true,"anonymized":true,"field":"string"}],"delete":{"ids":["string"],"query":"string"},"update":[{"allowed":true,"anonymized":true,"id":"string"}]}'

Create a model response

POST /api/security_ai_assistant/chat/complete

Api key auth Basic auth

Create a model response for the given chat conversation.

Query parameters

content_references_disabled boolean

If true, the response will not include content references.

Default value is false.

application/json

Body Required

connectorId string Required
conversationId string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.
isStream boolean
langSmithApiKey string
langSmithProject string
messages array[object] Required

AI assistant message.
Hide messages attributes Show messages attributes object
- content string
  
  Message content.
- data object
  
  ECS object to attach to the context of the message.
  
  Additional properties are allowed.
- fields_to_anonymize array[string]
- role string Required
  
  Message role.
  
  Values are system, user, or assistant.
model string
persist boolean Required
promptId string
responseLanguage string

Responses

200 application/octet-stream

Indicates a successful call.
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/security_ai_assistant/chat/complete

curl \
 --request POST 'https://localhost:5601/api/security_ai_assistant/chat/complete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"connectorId":"string","conversationId":"string","isStream":true,"langSmithApiKey":"string","langSmithProject":"string","messages":[{"content":"string","data":{},"fields_to_anonymize":["string"],"role":"system"}],"model":"string","persist":true,"promptId":"string","responseLanguage":"string"}'

Get conversations

GET /api/security_ai_assistant/current_user/conversations/_find

Api key auth Basic auth

Get a list of all conversations for the current user.

Query parameters

fields array[string]
filter string

Search query
sort_field string

Field to sort by

Values are created_at, title, or updated_at.
sort_order string

Sort order

Values are asc or desc.
page integer

Page number

Minimum value is 1. Default value is 1.
per_page integer

Conversations per page

Minimum value is 0. Default value is 20.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  apiConfig object
  
  LLM API configuration.
  
  Hide apiConfig attributes Show apiConfig attributes object
  
  actionTypeId string Required
  
  action type id
  
  connectorId string Required
  
  connector id
  
  defaultSystemPromptId string
  
  defaultSystemPromptId
  
  model string
  
  model
  
  provider string
  
  Provider
  
  Values are OpenAI, Azure OpenAI, or Other.
  
  category string Required
  
  The conversation category.
  
  Values are assistant or insights.
  
  createdAt string Required
  
  The time conversation was created.
  
  excludeFromLastConversationStorage boolean
  
  excludeFromLastConversationStorage.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  messages array[object]
  
  The conversation messages.
  
  AI assistant conversation message.
  
  Hide messages attributes Show messages attributes object
  
  content string Required
  
  Message content.
  
  isError boolean
  
  Is error message.
  
  metadata object
  
  metadata
  
  Hide metadata attribute Show metadata attribute object
  
  contentReferences object
  
  Data refered to by the message content.
  
  reader object
  
  Message content.
  
  Additional properties are allowed.
  
  role string Required
  
  Message role.
  
  Values are system, user, or assistant.
  
  timestamp string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  traceData object
  
  trace Data
  
  Hide traceData attributes Show traceData attributes object
  
  traceId string
  
  Could be any string, not necessarily a UUID
  
  transactionId string
  
  Could be any string, not necessarily a UUID
  
  namespace string Required
  
  Kibana space
  
  replacements object
  
  Replacements object used to anonymize/deanomymize messsages
  
  Hide replacements attribute Show replacements attribute object
  
  * string Additional properties
  
  summary object
  
  Hide summary attributes Show summary attributes object
  
  confidence string
  
  How confident you are about this being a correct and useful learning.
  
  Values are low, medium, or high.
  
  content string
  
  Summary text of the conversation over time.
  
  public boolean
  
  Define if summary is marked as publicly available.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  title string Required
  
  The conversation title.
  
  updatedAt string
  
  The last time conversation was updated.
  
  users array[object] Required
  
  Could be any string, not necessarily a UUID
  
  Hide users attributes Show users attributes object
  
  id string
  
  User id
  
  name string
  
  User name
- page integer Required
- perPage integer Required
- total integer Required
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

GET /api/security_ai_assistant/current_user/conversations/_find

curl \
 --request GET 'https://localhost:5601/api/security_ai_assistant/current_user/conversations/_find' \
 --header "Authorization: $API_KEY"

Update a conversation

PUT /api/security_ai_assistant/current_user/conversations/{id}

Api key auth Basic auth

Update an existing conversation using the conversation ID.

Path parameters

id string(nonempty) Required

The conversation's id value.

Minimum length is 1.

application/json

Body Required

apiConfig object

LLM API configuration.
Hide apiConfig attributes Show apiConfig attributes object
- actionTypeId string Required
  
  action type id
- connectorId string Required
  
  connector id
- defaultSystemPromptId string
  
  defaultSystemPromptId
- model string
  
  model
- provider string
  
  Provider
  
  Values are OpenAI, Azure OpenAI, or Other.
category string

The conversation category.

Values are assistant or insights.
excludeFromLastConversationStorage boolean

excludeFromLastConversationStorage.
id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
messages array[object]

The conversation messages.

AI assistant conversation message.
Hide messages attributes Show messages attributes object
- content string Required
  
  Message content.
- isError boolean
  
  Is error message.
- metadata object
  
  metadata
  Hide metadata attribute Show metadata attribute object
  
  contentReferences object
  
  Data refered to by the message content.
- reader object
  
  Message content.
  
  Additional properties are allowed.
- role string Required
  
  Message role.
  
  Values are system, user, or assistant.
- timestamp string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- traceData object
  
  trace Data
  Hide traceData attributes Show traceData attributes object
  
  traceId string
  
  Could be any string, not necessarily a UUID
  
  transactionId string
  
  Could be any string, not necessarily a UUID
replacements object

Replacements object used to anonymize/deanomymize messsages
Hide replacements attribute Show replacements attribute object
- * string Additional properties
summary object
Hide summary attributes Show summary attributes object
- confidence string
  
  How confident you are about this being a correct and useful learning.
  
  Values are low, medium, or high.
- content string
  
  Summary text of the conversation over time.
- public boolean
  
  Define if summary is marked as publicly available.
- timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
title string

The conversation title.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- apiConfig object
  
  LLM API configuration.
  
  Hide apiConfig attributes Show apiConfig attributes object
  
  actionTypeId string Required
  
  action type id
  
  connectorId string Required
  
  connector id
  
  defaultSystemPromptId string
  
  defaultSystemPromptId
  
  model string
  
  model
  
  provider string
  
  Provider
  
  Values are OpenAI, Azure OpenAI, or Other.
- category string Required
  
  The conversation category.
  
  Values are assistant or insights.
- createdAt string Required
  
  The time conversation was created.
- excludeFromLastConversationStorage boolean
  
  excludeFromLastConversationStorage.
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- messages array[object]
  
  The conversation messages.
  
  AI assistant conversation message.
  
  Hide messages attributes Show messages attributes object
  
  content string Required
  
  Message content.
  
  isError boolean
  
  Is error message.
  
  metadata object
  
  metadata
  
  Hide metadata attribute Show metadata attribute object
  
  contentReferences object
  
  Data refered to by the message content.
  
  reader object
  
  Message content.
  
  Additional properties are allowed.
  
  role string Required
  
  Message role.
  
  Values are system, user, or assistant.
  
  timestamp string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  traceData object
  
  trace Data
  
  Hide traceData attributes Show traceData attributes object
  
  traceId string
  
  Could be any string, not necessarily a UUID
  
  transactionId string
  
  Could be any string, not necessarily a UUID
- namespace string Required
  
  Kibana space
- replacements object
  
  Replacements object used to anonymize/deanomymize messsages
  
  Hide replacements attribute Show replacements attribute object
  
  * string Additional properties
- summary object
  
  Hide summary attributes Show summary attributes object
  
  confidence string
  
  How confident you are about this being a correct and useful learning.
  
  Values are low, medium, or high.
  
  content string
  
  Summary text of the conversation over time.
  
  public boolean
  
  Define if summary is marked as publicly available.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- title string Required
  
  The conversation title.
- updatedAt string
  
  The last time conversation was updated.
- users array[object] Required
  
  Could be any string, not necessarily a UUID
  
  Hide users attributes Show users attributes object
  
  id string
  
  User id
  
  name string
  
  User name
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

PUT /api/security_ai_assistant/current_user/conversations/{id}

curl \
 --request PUT 'https://localhost:5601/api/security_ai_assistant/current_user/conversations/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"summary":{"confidence":"low","content":"string","public":true,"timestamp":"string"},"title":"string"}'

Deletes a single Knowledge Base Entry using the `id` field

DELETE /api/security_ai_assistant/knowledge_base/entries/{id}

Api key auth Basic auth

Deletes a single Knowledge Base Entry using the id field

Path parameters

id string(nonempty) Required

The Knowledge Base Entry's id value

Minimum length is 1.

Responses

200 application/json

Successful request returning the deleted Knowledge Base Entry's ID
Hide response attribute Show response attribute object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

DELETE /api/security_ai_assistant/knowledge_base/entries/{id}

curl \
 --request DELETE 'https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/{id}' \
 --header "Authorization: $API_KEY"

Apply a bulk action to prompts

POST /api/security_ai_assistant/prompts/_bulk_action

Api key auth Basic auth

Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs.

application/json

Body

create array[object]
Hide create attributes Show create attributes object
- categories array[string]
- color string
- consumer string
- content string Required
- isDefault boolean
- isNewConversationDefault boolean
- name string Required
- promptType string Required
  
  Prompt type
  
  Values are system or quick.
delete object
Hide delete attributes Show delete attributes object
- ids array[string]
  
  Array of prompts IDs
  
  At least 1 element.
- query string
  
  Query to filter promps
update array[object]
Hide update attributes Show update attributes object
- categories array[string]
- color string
- consumer string
- content string
- id string Required
- isDefault boolean
- isNewConversationDefault boolean

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- attributes object Required
  
  Hide attributes attributes Show attributes attributes object
  
  errors array[object]
  
  Hide errors attributes Show errors attributes object
  
  err_code string
  
  message string Required
  
  prompts array[object] Required
  
  Hide prompts attributes Show prompts attributes object
  
  id string Required
  
  name string
  
  status_code integer Required
  
  results object Required
  
  Hide results attributes Show results attributes object
  
  created array[object] Required
  
  Hide created attributes Show created attributes object
  
  categories array[string]
  
  color string
  
  consumer string
  
  content string Required
  
  createdAt string
  
  createdBy string
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  isDefault boolean
  
  isNewConversationDefault boolean
  
  name string Required
  
  namespace string
  
  Kibana space
  
  promptType string Required
  
  Prompt type
  
  Values are system or quick.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
  
  users array[object]
  
  Could be any string, not necessarily a UUID
  
  Hide users attributes Show users attributes object
  
  id string
  
  User id
  
  name string
  
  User name
  
  deleted array[string] Required
  
  skipped array[object] Required
  
  Hide skipped attributes Show skipped attributes object
  
  id string Required
  
  name string
  
  skip_reason string Required
  
  Value is PROMPT_FIELD_NOT_MODIFIED.
  
  updated array[object] Required
  
  Hide updated attributes Show updated attributes object
  
  categories array[string]
  
  color string
  
  consumer string
  
  content string Required
  
  createdAt string
  
  createdBy string
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  isDefault boolean
  
  isNewConversationDefault boolean
  
  name string Required
  
  namespace string
  
  Kibana space
  
  promptType string Required
  
  Prompt type
  
  Values are system or quick.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
  
  users array[object]
  
  Could be any string, not necessarily a UUID
  
  Hide users attributes Show users attributes object
  
  id string
  
  User id
  
  name string
  
  User name
  
  summary object Required
  
  Hide summary attributes Show summary attributes object
  
  failed integer Required
  
  skipped integer Required
  
  succeeded integer Required
  
  total integer Required
- message string
- prompts_count integer
- status_code integer
- success boolean
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/security_ai_assistant/prompts/_bulk_action

curl \
 --request POST 'https://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"create":[{"categories":["string"],"color":"string","consumer":"string","content":"string","isDefault":true,"isNewConversationDefault":true,"name":"string","promptType":"system"}],"delete":{"ids":["string"],"query":"string"},"update":[{"categories":["string"],"color":"string","consumer":"string","content":"string","id":"string","isDefault":true,"isNewConversationDefault":true}]}'

Initiate a detection alert migration Deprecated

POST /api/detection_engine/signals/migration

Api key auth Basic auth

Initiate a migration of detection alerts. Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly.

application/json

Body Required

Alerts migration parameters

index array[string(nonempty)] Required

Array of index names to migrate.

At least 1 element. Minimum length of each is 1.
requests_per_second integer

The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API.

Minimum value is 1.
size integer

Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API.

Minimum value is 1.
slices integer

The number of subtasks for the migration task. Corresponds to slices on the Reindex API.

Minimum value is 1.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- indices array[object] Required
  
  One of:
  Security_Detections_API_AlertsIndexMigrationSuccess object Security_Detections_API_AlertsIndexMigrationError object Security_Detections_API_SkippedAlertsIndexMigration object
  
  Hide attributes Show attributes
  
  index string Required
  
  migration_id string Required
  
  migration_index string Required
  
  Hide attributes Show attributes
  
  error object Required
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code string Required
  
  index string Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/migration

curl \
 --request POST 'https://localhost:5601/api/detection_engine/signals/migration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"index":[".siem-signals-default-000001"]}'

Request example

{
  "index": [
    ".siem-signals-default-000001"
  ]
}

Response examples (200)

{
  "indices": [
    {
      "index": ".siem-signals-default-000001,",
      "migration_id": "923f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "migration_index": ".siem-signals-default-000001-r000016"
    }
  ]
}

Clean up detection alert migrations Deprecated

DELETE /api/detection_engine/signals/migration

Api key auth Basic auth

Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted.

While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation.

application/json

Body Required

Array of migration_ids to cleanup

migration_ids array[string] Required

Array of migration_ids to cleanup.

At least 1 element.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- destinationIndex string Required
- error object
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
- id string Required
- sourceIndex string Required
- status string Required
  
  Values are success, failure, or pending.
- updated string(date-time) Required
- version string Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/detection_engine/signals/migration

curl \
 --request DELETE 'https://localhost:5601/api/detection_engine/signals/migration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'

Request example

{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}

Response examples (200)

{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}

Set a detection alert status

POST /api/detection_engine/signals/status

Api key auth Basic auth

Set the status of one or more detection alerts.

application/json

Body object Required

An object containing desired status and explicit alert ids or a query to select alerts

signal_ids array[string(nonempty)] Required

List of alert ids.

At least 1 element. Minimum length of each is 1.
status string Required

The status of an alert, which can be open, acknowledged, in-progress, or closed.

Values are open, closed, acknowledged, or in-progress.

conflicts string

Values are abort or proceed. Default value is abort.
query object Required

Additional properties are allowed.
status string Required

The status of an alert, which can be open, acknowledged, in-progress, or closed.

Values are open, closed, acknowledged, or in-progress.

Responses

200 application/json

Successful response

Elasticsearch update by query response

Additional properties are allowed.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/status

curl \
 --request POST 'https://localhost:5601/api/detection_engine/signals/status' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"status":"closed","signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"]}'

Request examples

{
  "status": "closed",
  "signal_ids": [
    "80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"
  ]
}

{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "range": null,
          "@timestamp": {
            "gte": "2024-10-23T07:00:00.000Z",
            "lte": "2025-01-21T20:12:11.704Z",
            "format": "strict_date_optional_time"
          }
        },
        {
          "bool": {
            "filter": {
              "bool": {
                "must": [],
                "filter": [
                  {
                    "match_phrase": {
                      "kibana.alert.workflow_status": "open"
                    }
                  },
                  {
                    "range": null,
                    "@timestamp": {
                      "gte": "2024-10-23T07:00:00.000Z",
                      "lte": "2025-01-21T20:12:11.704Z",
                      "format": "strict_date_optional_time"
                    }
                  }
                ],
                "should": [],
                "must_not": [
                  {
                    "exists": {
                      "field": "kibana.alert.building_block_type"
                    }
                  }
                ]
              }
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "status": "closed",
  "conflicts": "proceed"
}

Response examples (200)

{
  "took": 81,
  "noops": 0,
  "total": 1,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 1,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}

{
  "took": 100,
  "noops": 0,
  "total": 17,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 17,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}

Get actions state

GET /api/endpoint/action/state

Api key auth Basic auth

Get a response actions state, which reports whether encryption is enabled.

Responses

200 application/json

OK
Hide response attribute Show response attribute object
- body object Required
  
  Hide body attribute Show body attribute object
  
  data object Required
  
  Hide data attribute Show data attribute object
  
  canEncrypt boolean

GET /api/endpoint/action/state

curl \
 --request GET 'https://localhost:5601/api/endpoint/action/state' \
 --header "Authorization: $API_KEY"

Delete the Entity Engine

DELETE /api/entity_store/engines/{entityType}

Api key auth Basic auth

Path parameters

entityType string Required

The entity type of the engine (either 'user' or 'host').

Values are user, host, service, or generic.

Query parameters

data boolean

Control flag to also delete the entity data.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- deleted boolean

DELETE /api/entity_store/engines/{entityType}

curl \
 --request DELETE 'https://localhost:5601/api/entity_store/engines/{entityType}' \
 --header "Authorization: $API_KEY"

Cleanup the Risk Engine

DELETE /api/risk_score/engine/dangerously_delete_data

Api key auth Basic auth

Cleaning up the the Risk Engine by removing the indices, mapping and transforms

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- cleanup_successful boolean
400 application/json

Task manager is unavailable
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
  
  Minimum value is 400.
default application/json

Unexpected error
Hide response attributes Show response attributes object
- cleanup_successful boolean Required
- errors array[object] Required
  
  Hide errors attributes Show errors attributes object
  
  error string Required
  
  seq integer Required

DELETE /api/risk_score/engine/dangerously_delete_data

curl \
 --request DELETE 'https://localhost:5601/api/risk_score/engine/dangerously_delete_data' \
 --header "Authorization: $API_KEY"

Get an exception list item

GET /api/exception_lists/items

Api key auth Basic auth

Get the details of an exception list item using the id or item_id field.

Query parameters

id string(nonempty)

Exception list item's identifier. Either id or item_id must be specified.

Minimum length is 1.
item_id string(nonempty)

Human readable exception item string identifier, e.g. trusted-linux-processes. Either id or item_id must be specified.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
Values are agnostic or single. Default value is single.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1. Default value is [] (empty).
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Exception list item not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/exception_lists/items

curl \
 --request GET 'https://localhost:5601/api/exception_lists/items' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    },
    {
      "type": "match_any",
      "field": "host.name",
      "value": [
        "saturn",
        "jupiter"
      ],
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "exception list item item_id: \\\"foo\\\" does not exist",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Security lists

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
- boolean
- byte
- date
- date_nanos
- date_range
- double
- double_range
- float
- float_range
- half_float
- integer
- integer_range
- ip
- ip_range
- keyword
- long
- long_range
- short
- text
List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named internal-ip-addresses-southport contains five items, where each item defines one internal IP address:

192.168.1.1
192.168.1.3
192.168.1.18
192.168.1.12
192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception list item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's exceptions_list object.

Lists requirements

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.

Get value list details

GET /api/lists

Api key auth Basic auth

Get the details of a value list using the list ID.

Query parameters

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
- @timestamp string(date-time)
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string(nonempty) Required
  
  Describes the value list.
  
  Minimum length is 1.
- deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
- id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
- immutable boolean Required
- meta object
  
  Placeholder for metadata about the value list.
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Value list's name.
  
  Minimum length is 1.
- serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
- version integer Required
  
  The document version number.
  
  Minimum value is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/lists

curl \
 --request GET 'https://localhost:5601/api/lists?id=21b01cfb-058d-44b9-838c-282be16c91cd' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "ip_list",
  "name": "My bad ips",
  "type": "ip",
  "version": 1,
  "_version": "WzEsMV0=",
  "immutable": false,
  "@timestamp": "2025-01-08T04:47:34.273Z",
  "created_at": "2025-01-08T04:47:34.273Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:21:53.843Z",
  "updated_by": "elastic",
  "description": "This list describes bad internet ip",
  "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request query]: id: Required",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "list id: \\\"foo\\\" not found",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Get a value list item

GET /api/lists/items

Api key auth Basic auth

Get the details of a value list item.

Query parameters

id string(nonempty)

Value list item identifier. Required if list_id and value are not specified.

Minimum length is 1.
list_id string(nonempty)

Value list item list's id identfier. Required if id is not specified.

Minimum length is 1.
value string

The value used to evaluate exceptions. Required if id is not specified.

Responses

200 application/json

Successful response
One of:
Security_Lists_API_ListItem object array-2 array[object]
Hide attributes Show attributes

_version string

The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

@timestamp string(date-time)

created_at string(date-time) Required

Autogenerated date of object creation.

created_by string Required

Autogenerated value - user that created object.

deserializer string

Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

{{{value}}} - Single value item types, such as ip, long, date, keyword, and text.

{{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.

{{{gte}}},{{{lte}}} - Date range values.

id string(nonempty) Required

Value list item's identifier.

Minimum length is 1.

list_id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

meta object

Placeholder for metadata about the value list item.

Additional properties are allowed.

serializer string

Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

(?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.

(?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.

tie_breaker_id string Required

Field used in search to ensure all containers are sorted and returned correctly.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

updated_at string(date-time) Required

Autogenerated date of last object update.

updated_by string Required

Autogenerated value - user that last updated object.

value string(nonempty) Required

The value used to evaluate exceptions.

Minimum length is 1.
Hide attributes Show attributes object

_version string

The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

@timestamp string(date-time)

created_at string(date-time) Required

Autogenerated date of object creation.

created_by string Required

Autogenerated value - user that created object.

deserializer string

Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

{{{value}}} - Single value item types, such as ip, long, date, keyword, and text.

{{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.

{{{gte}}},{{{lte}}} - Date range values.

id string(nonempty) Required

Value list item's identifier.

Minimum length is 1.

list_id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

meta object

Placeholder for metadata about the value list item.

Additional properties are allowed.

serializer string

Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

(?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.

(?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.

tie_breaker_id string Required

Field used in search to ensure all containers are sorted and returned correctly.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

updated_at string(date-time) Required

Autogenerated date of last object update.

updated_by string Required

Autogenerated value - user that last updated object.

value string(nonempty) Required

The value used to evaluate exceptions.

Minimum length is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List item not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/lists/items

curl \
 --request GET 'https://localhost:5601/api/lists/items' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "qN1XRJQBs4HAK3VQs3Gc",
  "type": "ip",
  "value": "127.0.0.2",
  "list_id": "ip_list",
  "_version": "WzExLDFd",
  "@timestamp": "2025-01-08T05:16:25.882Z",
  "created_at": "2025-01-08T05:16:25.882Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:16:25.882Z",
  "updated_by": "elastic",
  "tie_breaker_id": "a9a34c02-a385-436e-86a0-02a3942f3537"
}

Response examples (400)

{
  "message": "Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request",
  "status_code": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "list item id: \\\"foo\\\" not found",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Create a live query

POST /api/osquery/live_queries

Api key auth Basic auth

Create and run a live query.

application/json

Body Required

agent_all boolean

When true, the query runs on all agents.
agent_ids array[string]

A list of agent IDs to run the query on.
agent_platforms array[string]

A list of agent platforms to run the query on.
agent_policy_ids array[string]

A list of agent policy IDs to run the query on.
alert_ids array[string]

A list of alert IDs associated with the live query.
case_ids array[string]

A list of case IDs associated with the live query.
ecs_mapping object | null

Map osquery results columns or static values to Elastic Common Schema (ECS) fields
Hide ecs_mapping attribute Show ecs_mapping attribute object | null
- * object Additional properties
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
event_ids array[string]

A list of event IDs associated with the live query.
metadata object | null

Custom metadata object associated with the live query.
pack_id string | null

The ID of the pack you want to run, retrieve, update, or delete.
queries array[object]

An array of queries to run.
Hide queries attributes Show queries attributes object
- ecs_mapping object | null
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  Hide ecs_mapping attribute Show ecs_mapping attribute object | null
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
- id string
  
  The ID of the query.
- platform string | null
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
- query string
  
  The SQL query you want to run.
- removed boolean | null
  
  Indicates whether the query is removed.
- snapshot boolean | null
  
  Indicates whether the query is a snapshot.
- version string | null
  
  Uses the Osquery versions greater than or equal to the specified version string.
query string

The SQL query you want to run.
saved_query_id string | null

The ID of a saved query.

Responses

200 application/json

OK

POST /api/osquery/live_queries

curl \
 --request POST 'https://localhost:5601/api/osquery/live_queries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":"select * from uptime;","agent_all":true,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}}}'

Request example

{
  "query": "select * from uptime;",
  "agent_all": true,
  "ecs_mapping": {
    "host.uptime": {
      "field": "total_seconds"
    }
  }
}

Response examples (200)

{
  "data": {
    "type": "INPUT_ACTION",
    "agents": [
      "16d7caf5-efd2-4212-9b62-73dafc91fa13"
    ],
    "queries": [
      {
        "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
        "query": "select * from uptime;",
        "agents": [
          "16d7caf5-efd2-4212-9b62-73dafc91fa13"
        ],
        "timeout": 120,
        "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
        "ecs_mapping": {
          "host.uptime": {
            "field": "total_seconds"
          }
        }
      }
    ],
    "user_id": "elastic",
    "metadata": {
      "execution_context": {
        "url": "/app/osquery/live_queries/new",
        "name": "osquery"
      }
    },
    "action_id": "3c42c847-eb30-4452-80e0-728584042334",
    "agent_all": true,
    "agent_ids": [],
    "@timestamp": "2022-07-26T09:59:32.220Z",
    "expiration": "2022-07-26T10:04:32.220Z",
    "input_type": "osquery",
    "agent_platforms": [],
    "agent_policy_ids": []
  }
}

Pin/unpin an event

PATCH /api/pinned_event

Api key auth Basic auth

Pin/unpin an event to/from an existing Timeline.

application/json

Body Required

The pinned event to add or unpin, along with additional metadata.

eventId string Required

The _id of the associated event for this pinned event.
pinnedEventId string | null

The savedObjectId of the pinned event you want to unpin.
timelineId string Required

The savedObjectId of the timeline that you want this pinned event unpinned from.

Responses

200 application/json

Indicates the event was successfully pinned to or unpinned from the Timeline.
One of:
Security_Timeline_API_PinnedEvent object object-2 object
Hide attributes Show attributes

created number | null

The time the pinned event was created, using a 13-digit Epoch timestamp.

createdBy string | null

The user who created the pinned event.

updated number | null

The last time the pinned event was updated, using a 13-digit Epoch timestamp

updatedBy string | null

The user who last updated the pinned event

eventId string Required

The _id of the associated event for this pinned event.

timelineId string Required

The savedObjectId of the timeline that this pinned event is associated with

pinnedEventId string Required

The savedObjectId of this pinned event

version string Required

The version of this pinned event
Hide attribute Show attribute

unpinned boolean Required

Indicates whether the event was successfully unpinned

PATCH /api/pinned_event

curl \
 --request PATCH 'https://localhost:5601/api/pinned_event' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","pinnedEventId":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}'

Get Timeline or Timeline template details

GET /api/timeline

Api key auth Basic auth

Get the details of an existing saved Timeline or Timeline template.

Query parameters

template_timeline_id string

The savedObjectId of the template timeline to retrieve
id string

The savedObjectId of the Timeline to retrieve.

Responses

200 application/json

Indicates that the (template) Timeline was found and returned.
Hide response attributes Show response attributes object
- columns array[object] | null
  
  The Timeline's columns
  
  Hide columns attributes Show columns attributes object
  
  aggregatable boolean | null
  
  category string | null
  
  columnHeaderType string | null
  
  description string | null
  
  example string | null
  
  id string | null
  
  indexes array[string] | null
  
  name string | null
  
  placeholder string | null
  
  searchable boolean | null
  
  type string | null
- created number | null
  
  The time the Timeline was created, using a 13-digit Epoch timestamp.
- createdBy string | null
  
  The user who created the Timeline.
- dataProviders array[object] | null
  
  Object containing query clauses
  
  Hide dataProviders attributes Show dataProviders attributes object
  
  and array[object] | null
  
  Hide and attributes Show and attributes object
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider.
  
  Values are default or template.
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider.
  
  Values are default or template.
- dataViewId string | null
  
  ID of the Timeline's Data View
- dateRange object | null
  
  The Timeline's search period.
  
  Hide dateRange attributes Show dateRange attributes object | null
  
  end string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  end string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  start string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  start string | null | number
  
  One of:
  string-1 string | null number-2 number | null
- description string | null
  
  The Timeline's description
- eqlOptions object | null
  
  EQL query that is used in the correlation tab
  
  Hide eqlOptions attributes Show eqlOptions attributes object | null
  
  eventCategoryField string | null
  
  query string | null
  
  size string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  size string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  tiebreakerField string | null
  
  timestampField string | null
- eventType string | null Deprecated
  
  Event types displayed in the Timeline
- excludedRowRendererIds array[string] | null
  
  A list of row renderers that should not be used when in Event renderers mode
  
  Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.
- favorite array[object] | null
  
  Indicates when and who marked a Timeline as a favorite.
  
  Hide favorite attributes Show favorite attributes object
  
  favoriteDate number | null
  
  fullName string | null
  
  userName string | null
- filters array[object] | null
  
  A list of filters that should be applied to the query
  
  Hide filters attributes Show filters attributes object
  
  exists string | null
  
  match_all string | null
  
  meta object | null
  
  Hide meta attributes Show meta attributes object | null
  
  alias string | null
  
  controlledBy string | null
  
  disabled boolean | null
  
  field string | null
  
  formattedValue string | null
  
  index string | null
  
  key string | null
  
  negate boolean | null
  
  params string | null
  
  type string | null
  
  value string | null
  
  missing string | null
  
  query string | null
  
  range string | null
  
  script string | null
- indexNames array[string] | null
  
  A list of index names to use in the query (e.g. when the default data view has been modified)
- kqlMode string | null
  
  Indicates whether the KQL bar filters the query results or searches for additional results, where:
  
  filter: filters query results
  
  search: displays additional search results
- kqlQuery object | null
  
  KQL bar query.
  
  Hide kqlQuery attribute Show kqlQuery attribute object | null
  
  filterQuery object | null
  
  Hide filterQuery attributes Show filterQuery attributes object | null
  
  kuery object | null
  
  Hide kuery attributes Show kuery attributes object | null
  
  expression string | null
  
  kind string | null
  
  serializedQuery string | null
- savedQueryId string | null
  
  The ID of the saved query that might be used in the Query tab
- savedSearchId string | null
  
  The ID of the saved search that is used in the ES|QL tab
- sort object | null | array[object]
  
  One of:
  Security_Timeline_API_SortObject object | null array-2 array[object] | null
  
  Object indicating how rows are sorted in the Timeline's grid
  
  Hide attributes Show attributes
  
  columnId string | null
  
  columnType string | null
  
  sortDirection string | null
- sort object | null | array[object]
  
  One of:
  Security_Timeline_API_SortObject object | null array-2 array[object] | null
  
  Object indicating how rows are sorted in the Timeline's grid
  
  Hide attributes Show attributes
  
  columnId string | null
  
  columnType string | null
  
  sortDirection string | null
- status string | null
  
  The status of the Timeline.
  
  Values are active, draft, or immutable.
- templateTimelineId string | null
  
  A unique ID (UUID) for Timeline templates. For Timelines, the value is null.
- templateTimelineVersion number | null
  
  Timeline template version number. For Timelines, the value is null.
- timelineType string | null
  
  The type of Timeline.
  
  Values are default or template.
- title string | null
  
  The Timeline's title.
- updated number | null
  
  The last time the Timeline was updated, using a 13-digit Epoch timestamp
- updatedBy string | null
  
  The user who last updated the Timeline
- savedObjectId string Required
  
  The savedObjectId of the Timeline or Timeline template
- version string Required
  
  The version of the Timeline or Timeline template
- eventIdToNoteIds array[object] | null
  
  A list of all the notes that are associated to this Timeline.
  
  Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
  
  created number | null
  
  The time the note was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the note.
  
  updated number | null
  
  The last time the note was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the note
  
  eventId string | null
  
  The _id of the associated event for this note.
  
  note string | null
  
  The text of the note
  
  timelineId string Required
  
  The savedObjectId of the Timeline that this note is associated with
  
  noteId string Required
  
  The savedObjectId of the note
  
  version string Required
  
  The version of the note
- noteIds array[string] | null
  
  A list of all the ids of notes that are associated to this Timeline.
- notes array[object] | null
  
  A list of all the notes that are associated to this Timeline.
  
  Hide notes attributes Show notes attributes object
  
  created number | null
  
  The time the note was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the note.
  
  updated number | null
  
  The last time the note was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the note
  
  eventId string | null
  
  The _id of the associated event for this note.
  
  note string | null
  
  The text of the note
  
  timelineId string Required
  
  The savedObjectId of the Timeline that this note is associated with
  
  noteId string Required
  
  The savedObjectId of the note
  
  version string Required
  
  The version of the note
- pinnedEventIds array[string] | null
  
  A list of all the ids of pinned events that are associated to this Timeline.
- pinnedEventsSaveObject array[object] | null
  
  A list of all the pinned events that are associated to this Timeline.
  
  Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
  
  created number | null
  
  The time the pinned event was created, using a 13-digit Epoch timestamp.
  
  createdBy string | null
  
  The user who created the pinned event.
  
  updated number | null
  
  The last time the pinned event was updated, using a 13-digit Epoch timestamp
  
  updatedBy string | null
  
  The user who last updated the pinned event
  
  eventId string Required
  
  The _id of the associated event for this pinned event.
  
  timelineId string Required
  
  The savedObjectId of the timeline that this pinned event is associated with
  
  pinnedEventId string Required
  
  The savedObjectId of this pinned event
  
  version string Required
  
  The version of this pinned event

GET /api/timeline

curl \
 --request GET 'https://localhost:5601/api/timeline' \
 --header "Authorization: $API_KEY"

Import Timelines

POST /api/timeline/_import

Api key auth Basic auth

Import Timelines.

application/json

Body Required

The Timelines to import as a readable stream.

isImmutable string

Whether the Timeline should be immutable

Values are true or false.

Responses

200 application/json

Indicates the import of Timelines was successful.
Hide response attributes Show response attributes object
- errors array[object]
  
  The list of failed Timeline imports
  
  Hide errors attributes Show errors attributes object
  
  error object
  
  The error containing the reason why the timeline could not be imported
  
  Hide error attributes Show error attributes object
  
  message string
  
  The reason why the timeline could not be imported
  
  status_code number
  
  The HTTP status code of the error
  
  id string
  
  The ID of the timeline that failed to import
- success boolean
  
  Indicates whether any of the Timelines were successfully imports
- success_count number
  
  The amount of successfully imported/updated Timelines
- timelines_installed number
  
  The amount of successfully installed Timelines
- timelines_updated number
  
  The amount of successfully updated Timelines
400 application/json

Indicates the import of Timelines was unsuccessful because of an invalid file extension.
Hide response attributes Show response attributes object
- body string
  
  The error message
- statusCode number
404 application/json

Indicates that we were unable to locate the saved object client necessary to handle the import.
Hide response attributes Show response attributes object
- body string
  
  The error message
- statusCode number
409 application/json

Indicates the import of Timelines was unsuccessful.
Hide response attributes Show response attributes object
- body string
  
  The error message
- statusCode number

POST /api/timeline/_import

curl \
 --request POST 'https://localhost:5601/api/timeline/_import' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"isImmutable":"true"}'

Get a short URL Technical Preview

GET /api/short_url/{id}

Api key auth Basic auth

Get a single Kibana short URL.

Path parameters

id string Required

The identifier for the short URL.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- accessCount integer
- accessDate string
- createDate string
- id string
  
  The identifier for the short URL.
- locator object
  
  Hide locator attributes Show locator attributes object
  
  id string
  
  The identifier for the locator.
  
  state object
  
  The locator parameters.
  
  version string
  
  The version of Kibana when the short URL was created.
- slug string
  
  A random human-readable slug is automatically generated if the humanReadableSlug parameter is set to true. If it is set to false, a random short string is generated.

GET /api/short_url/{id}

curl \
 --request GET 'https://localhost:5601/api/short_url/{id}' \
 --header "Authorization: $API_KEY"

Bulk delete SLO definitions and their associated summary and rollup data.

POST /s/{spaceId}/api/observability/slos/_bulk_delete

Api key auth Basic auth

Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the GET /api/slo/_bulk_delete/{taskId} endpoint.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

spaceId string Required

An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

application/json

Body Required

list array[string] Required

An array of SLO Definition id

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- taskId string
  
  The taskId of the bulk delete operation
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
403 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /s/{spaceId}/api/observability/slos/_bulk_delete

curl \
 --request POST 'https://localhost:5601/s/default/api/observability/slos/_bulk_delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"list":["8853df00-ae2e-11ed-90af-09bb6422b258"]}'

Upsert group stream settings Technical Preview

PUT /api/streams/{name}/_group

Api key auth Basic auth

Upserts the group settings of a group stream definition

[Required authorization] Route required privileges: manage_stream.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required

application/json

Body

group object Required

Additional properties are NOT allowed.
Hide group attribute Show group attribute object
- members array[string] Required

PUT /api/streams/{name}/_group

curl \
 --request PUT 'https://localhost:5601/api/streams/{name}/_group' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"group":{"members":["string"]}}'

Get ingest stream settings Technical Preview

GET /api/streams/{name}/_ingest

Api key auth Basic auth

Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream.

Path parameters

name string Required

application/json

Body

object

Additional properties are NOT allowed.

GET /api/streams/{name}/_ingest

curl \
 --request GET 'https://localhost:5601/api/streams/{name}/_ingest' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"

Link a dashboard to a stream Technical Preview

PUT /api/streams/{name}/dashboards/{dashboardId}

Api key auth Basic auth

Links a dashboard to a stream. Noop if the dashboard is already linked to the stream.

[Required authorization] Route required privileges: manage_stream.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required
dashboardId string Required

application/json

Body

object

Additional properties are NOT allowed.

PUT /api/streams/{name}/dashboards/{dashboardId}

curl \
 --request PUT 'https://localhost:5601/api/streams/{name}/dashboards/{dashboardId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true"

Bulk update queries Technical Preview

POST /api/streams/{name}/queries/_bulk

Api key auth Basic auth

Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required

application/json

Body

operations array[object] Required
Any of:
object-1 object object-2 object
Hide attribute Show attribute

index object Required

Hide index attributes Show index attributes object

id string Required

Minimum length is 1.

title string Required

Minimum length is 1.

kql object Required

Additional properties are NOT allowed.

Hide kql attribute Show kql attribute object

query string Required

Minimum length is 1.
Hide attribute Show attribute

delete object Required

Additional properties are NOT allowed.

Hide delete attribute Show delete attribute object

id string Required

POST /api/streams/{name}/queries/_bulk

curl \
 --request POST 'https://localhost:5601/api/streams/{name}/queries/_bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"operations":[{"index":{"id":"string","title":"string","kql":{"query":"string"}}}]}'

Create a private location

POST /api/synthetics/private_locations

Api key auth Basic auth

You must have all privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.

application/json

Body Required

agentPolicyId string Required

The ID of the agent policy associated with the private location.
geo object

Geographic coordinates (WGS84) for the location.
Hide geo attributes Show geo attributes object
- lat number Required
  
  The latitude of the location.
- lon number Required
  
  The longitude of the location.
label string Required

A label for the private location.
spaces array[string]

An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces.
tags array[string]

An array of tags to categorize the private location.

Responses

200 application/json

A successful response.
400

If the agentPolicyId is already used by an existing private location or if the label already exists, the API will return a 400 Bad Request response with a corresponding error message.

POST /api/synthetics/private_locations

curl \
 --request POST 'https://localhost:5601/api/synthetics/private_locations' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"label\": \"Private Location 1\",\n  \"agentPolicyId\": \"abcd1234\",\n  \"tags\": [\"private\", \"testing\"],\n  \"geo\": {\n    \"lat\": 40.7128,\n    \"lon\": -74.0060\n  }\n  \"spaces\": [\"default\"]\n}"'

Request example

Run `POST /api/private_locations` to create a private location.

{
  "label": "Private Location 1",
  "agentPolicyId": "abcd1234",
  "tags": ["private", "testing"],
  "geo": {
    "lat": 40.7128,
    "lon": -74.0060
  }
  "spaces": ["default"]
}

Response examples (200)

{
  "id": "abcd1234",
  "label": "Private Location 1",
  "agentPolicyId": "abcd1234",
  "tags": ["private", "testing"],
  "geo": {
    "lat": 40.7128,
    "lon": -74.0060
  }
}

Get the upgrade readiness status Technical Preview

GET /api/upgrade_assistant/status

Api key auth Basic auth

Check the status of your cluster.

Responses

200 application/json

Indicates a successful call.

GET /api/upgrade_assistant/status

curl \
 --request GET 'https://localhost:5601/api/upgrade_assistant/status' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "readyForUpgrade": false,
  "cluster": [
    {
      "message": "Cluster deprecated issue",
      "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading."
    }
  ]
}

Kibana APIs 1.0.2

Body object Required

alertId string | array[string] Required

index string | array[string] Required

connector object Required

value string | null | boolean

Get cases for an alert Technical preview

Connectors Dismiss highlight

Update an existing dashboard Technical Preview

query string | object Required

query string | object Required

size_in_bytes_formatted number | string Required

value string | number Required

package_policies array[string] | array[object]

item object Required

key object | string

key object | string

key object | string

key object | string Required

Body object

inputs array[object] | object Required

vars object

hasReference object | array[object]

type string | array[string]

Update a saved object Deprecated

Body Required

Body Required

Kibana APIs
1.0.2

Connectors